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FOREWORD 


Control not "privacy" 

The "Public Services Card project" has been around for a long time in Ireland. For almost as long, 
the national data protection authority has taken a keen interest in the evolution of the 
processes and systems surrounding the Public Services Card (PSC). 

This is because it's an arrangement that requires the processing of significant volumes of 
personal data from practically every person in Ireland and which underpins important decisions 
to be taken about those persons, such as whether to grant or suspend a payment or issue a 
passport. Equally, given the way the card is used, it's an arrangement that gives rise to 
potentially adverse consequences for the user. Such consequences may flow from, for example, 
a failure on the part of an individual to keep those elements of their personal data that are 
associated with the PSC updated; consequences may also follow if a card is not acquired in the 
first instance, i.e. access to a particular public service may be denied if the applicant fails to 
obtain and produce a PSC to the public-sector service provider. Accordingly, it is of critical 
importance that an arrangement of this scale and importance is established on a proper legal 
footing, to include - but not limited to - the putting in place of an appropriate legislative 
foundation, and that it operates in a fair and transparent manner in accordance with core data 
protection principles. 

Some people have commented that they don't understand why there's any fuss about the PSC 
since the types of data it stores is all standard Public Sector Identity (PSI) data (already 
associated with getting a PPSN) and so they ask how anyone could expect to keep that "private" 
when they are dealing with a given public sector body in Ireland. It is a misunderstanding to 
think that data protection law is directly and only concerned with "privacy". In fact, data 
protection is a far broader area of law that in many cases has less to do with "privacy" (as that 
term might commonly be understood) and more to do with how people exercise control over 
their information. So, for example, in data protection law, the right of an individual to access a 
copy of his or her personal data is recognised as being of particular importance. This clearly is 
less about "privacy" per se and has more to do with giving individuals control to ensure they 
know what data is held about them, that it is accurate, and that they understand how it will be 
used to make decisions about them. It is for these reasons, which have to do with foreseeability 
and control on the part of individuals, that the Data Protection Commission (DPC) has conducted 
a detailed investigation into matters surrounding the PSC project. 

What does the actual card do? 

The PSC has invariably been billed as a system that will make it easier and more efficient for the 
public to access public services and will assist in the elimination of fraud. The Department of 
Employment Affairs and Social Protection (DEASP) has taken this a step further, expressing the 
view - on the public record - that efficient public service development and delivery in Ireland 
will be inhibited if the State does not introduce a "single electronic identification scheme".^ At 


1 Joint Committee on Employment Affairs and Social Protection debate - Thursday, 22 Feb 2018, Public Services Card: 
Discussion. 
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some level of abstraction, it may be possible to conceive of there being some force to this 
argument, but, in the final analysis, it is of course the case that any such Scheme must comply 
with basic data protection principles that form part of the law of the land, to include those laws 
enacted by the Oireachtas and those enacted at European Union level. 

Our investigation has identified that what is being implemented falls far short of delivering on 
the goals identified by DEASP. This is a point of some significance when considering the balance 
which the PSC project purports to strike between the interests and rights of citizens on the one 
hand, and the interests of the State on the other. It also raises questions about the lawfulness 
of the personal data collection and processing involved. 

It is also important to bear in mind that, while the PSC is frequently spoken of as a project 
involving more than the card itself, the card element, as it has been implemented in practice, 
and contrary to the original concept, has remarkably little by way of meaningful real-world 
application. Notably, no public sector body has invested in the technology capable of reading 
the chip that contains the encrypted elements of the Public Sector Identity dataset on the card.^ 
Exceptionally, a special variant of the card with its own separate chip has been created for those 
who avail of free travel. Elowever, even that chip - and what is read from it - forms part of the 
National Transport Authority's integrated ticketing specification rather than the PSC itself. The 
card's obvious lack of meaningful utility operates to reinforce concerns about the reasons put 
forward by the State to justify the introduction and roll-out of the card and the balance being 
struck in that context between the interests and rights of citizens and the State, respectively. 

SAFE registration 

In reality, the backbone of the project is a form of citizen registration system. That system is 
based on a nationally developed standard called the "Standard Authentication Framework 
Environment (SAFE)". When registering an individual for the purpose of issuing a PSC, DEASP 
applies the "SAFE 2" standard to authenticate a person's identity to a "substantial level of 
assurance"^. DEASP requiresany individual who is to be issued with a PSC to presentthemselves 
in person at specified government offices, to bring a range of supporting identity and other 
documentation with them, to submit to a face-to-face interview, and to have a high-quality 
photo taken on-site and a recording of their signature stored. Re-registration is required every 
seven years. A facial recognition system has been implemented to match new photographs of 
individuals taken against the population of photographs already stored in order to ensure an 
individual is not attempting to fraudulently register twice'^. Notably, the Comptroller and 
Auditor General characterised SAFE as "mass registration of the population to a specific 
standard"^ in his "Report on the Accounts of the Public Services 2015", which addressed the 
roll-out of the PSC. 

The SAFE system and terminology is not explicitly referenced in any legislation but, entirely 
reasonably, social welfare legislation does make it clear that persons claiming benefits must 
satisfy the Minister as to their identity; it also sets out a process by which this may be done and 


^ " Comprehensive Guide to Safe Registration and the Public Services Card " - DEASP, October 2017, Page 45 

^ " Comprehensive Guide to Safe Registration and the Public Services Card " - DEASP, October 2017, Page 8 

" Comprehensive Guide to Safe Registration and the Public Services Card " - DEASP, October 2017, Page 11 

^ https://www.audit.gov.ie/en/Fincl-Report/Publications/2016/Roll-out-of-the-Public-Services-Card.pdf para 10.19 
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it identifies certain consequences where a person fails to engage in the identity validation 
process (for example, a benefit may be suspended under section 247C of the Social Welfare 
Consolidation Act 2005). The same social welfare legislation makes no such explicit provision 
regarding the consequences that may flow for individuals transacting with public sector bodies 
other than DEASP. In that context, all it provides is that the Minister may issue a PSC if it is 
required for a transaction with another State body. Already, this creates a foreseeability 
problem for individuals in that position because it is unclear (for example) what consequences 
may be visited on them if they fail to produce a PSC or to update data fields relevant to their 
PSC. 

Currently, the position is that the DEASP, and only the DEASP, registers individuals to the SAFE 
2 standard in the State. In that connection, the Department has acknowledged to the DPC that 
it discourages any other public body from implementing a parallel system of SAFE 2 registration. 
Equally, a PSC - which the DEASP describes as a mere "token" of SAFE 2 registration - can only 
be issued by the Minister for Employment Affairs and Social Protection. Under relevant 
provisions of the Social Welfare Consolidation Act 2005, it is also the DEASP that holds 
responsibility for managing the Public Service Number (PPSN) and the Public Service Identity 
functions. That being so, DEASP was identified as the proper respondent for the purposes of 
this investigation even though our findings also carry implications for many other State bodies. 

Frequent change and unclear destination 

The PSC project is one that has many moving parts and a complexity of logic and terminology 
attaching to it that makes any analysis of it - legal or otherwise - challenging. 

On any objective analysis, it is fair to say that the PSC project has evolved considerably since its 
inception in the 1990s. In the early days, and as noted above, the card was conceptualised, not 
as a form of photo ID, but rather as a card that would be used in actual cord-bosec/ transactions 
with a variety of government bodies and agencies that would use cryptographic readers to read 
the chips on the card and more efficiently deliver service to their users. (It was only under the 
Social Welfare and Pensions Act 2012 that it became mandatory for a person to allow for his or 
her photograph to be captured and reproduced for the purpose of issuing a PSC). In instances 
where remote access would be more convenient or beneficial, it was intended that holders 
could be issued with individual smart readers (like those used for remote Chip and Pin online 
banking) in order to allow authentication from home or remotely. The card issued on foot of 
the registration process was therefore intended to be a true enabler in terms of accessing 
relevant services. 

Where we have arrived at today is that the card itself as a physical piece of infrastructure serves 
little purpose as an enabler. Instead, its use is constrained to that of a limited form of photo 
identification. The DPC is aware of only one other case where a non-related service provider 
(the NTA) has integrated their technology onto the PSC card rather than (for example) supplying 
LEAP cards to all Free Travel customers. It is acknowledged that this latter integration is in fact 
of great utility to users and so it is not the subject of criticism in and of itself by the DPC. Rather, 
the point the DPC makes is that, beyond this single example, the form of card issued by DEASP 
- with its secure chip - serves little purpose as an enabler, and in fact cannot serve as an enabler. 
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because no public sector body reads it or is presently capable of reading it for the purposes of 
transactions involving the delivery of public services.® 

Further issues of concern arise in relation to arguments that the PSC is necessary to validate 
identity and to prevent fraud. Such concerns arise because the true position is that not everyone 
is in fact required to submit to the "usual SAFE 2 method" in order to obtain a card in the first 
place. On that score, certain "low risk" cases have been identified by DEASP where cards have 
been issued without standard SAFE 2 registration; as recently as 2017, the face-to-face 
interview was foregone by DEASP in other cases. Despite these obvious anomalies - and despite 
what they mean for the security and fraud justifications relied on by DEASP in connection with 
the card - no transparent criteria have been published identifying when, how and in what 
circumstances an individual will be treated as presenting low levels of risk such that a PSC can 
be issued without the need to satisfy the SAFE 2 standard. 

From the advent of the card, the Data Protection Commission had concerned itself with the 
potential for "function creep" in relation to its use. Already, we have seen the card evolve, with 
its original purpose (as a mechanism to enable the accessing of public services in a way that 
serves the interests of both the citizen and the State) becoming marginalised and alternative 
purposes being adopted, namely, the use of the card as a limited form of photographic ID. 
Equally, the card is now moving from being one that strictly required for use in the context of 
transactions with specified public sector bodies, to one that - if draft legislation presently under 
development is passed in its present form - may, in the near future, be used as an Age Card to 
be presented in off-licences to purchase alcohol.^ Again, while, superficially, and at first blush, 
this development may appear benign, it nonetheless represents a significant shift in terms of 
the evolution of and rationale for the card, with little by way of debate - parliamentary or 
otherwise - as to whether this is good thing, and no re-examination of what it might mean, 
either for the balance being struck between the respective interests of the citizen and the State, 
or for the legal basis on which the PSC stands. 

From time-to-time, media reports of other proposals for expanding usage of the PSC appear, all 
of which would likewise have significant implications for holders of the card.® 

It is perhaps this ongoing shifting of policy and direction in relation to the PSC that has led to 
what the DPC identifies as a very fragmented (and, ultimately, in the cases we outline, 
insufficient) underpinning of the PSC in terms of its legal basis. So far as that legal basis rests on 
legislation, the main piece of legislation identified by the Department as underpinning the PSC 
and SAFE registration systems is the Social Welfare Consolidation Act, 2005. That Act has been 
amended through primary legislative enactments at least once a year each year since 2005. One 
of the key provisions relating to PSC - Section 263 - has been amended six times and by three 
different pieces of primary legislation. A further key provision relied on by DEASP in relation to 


^ Information is stored electronically on the PSC in two ways: on a contact chip, and on a magnetic stripe. No specified 
body has implemented technology to read the contact chip. An Post reads the Magnetic stripe for the purposes of 
accessing the PPS Number in connection with certain transactions. See further " Comprehensive Guide to Safe 
Registration and the Public Services Card " - DEASP, October 2017, Page 45 
^ https://www.oireachtas.ie/en/bills/bill/2017/94/ 

® https://www.rte.ie/news/ireland/2018/0122/935229-public-service-card/ 

https://www.independent.ie/irish-news/news/minister-backs-plan-to-keep-kids-off-adult-sites-38289293.html 
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the PSC project is Section 241; that section has been amended 28 times by 11 enactments. 
During the course of this investigation, DEASP published, for the first time, an informal 
consolidation of the social welfare legislation that purports to underpin SAFE/PSC. Notably, the 
document runs to some 561 pages with 2,410 footnotes relating to amendments and 
substitutions. 

Quite apart from the fact that the 2005 Act is of course an Act intended to codify our social 
welfare law and not one designed to make provision for a single electronic identification 
scheme, or similar, it is the view of the DPC that the piecemeal and fragmented nature of the 
legislative interventions described in the preceding paragraph cannot but impact - adversely - 
on the coherence, credibility and sustainability of the legal foundations on which the PSC sits 
and the PSC project's capacity to satisfy (for example) specific legal obligations relating to the 
application of transparency principles. 

Public bodies other than the DEASP that require the card 

By way of observation in relation to published information about bodies other than DEASP that 
require the PSC, we note that the DEASP website indicates that the PSC will soon be required to 
make an appeal to the Department of Education in relation to the provision of access to school 
transport schemes.® What is striking about the current system of school transport appeals is 
that, whether an appeal is submitted online or offline, no identity validation of any description 
is required. It is not readily apparent how or why a SAFE 2 level of identity authentication is now 
to be introduced as a core requirement of any appeal about a local school transport decision, 
to the exclusion of all other forms of ID.“ 

What the foregoing illustrates is that there are obvious and significant deficits in terms of logic 
and consistency in relation to the "requirements" for use of the card in some cases and an 
artificiality about requiring it in others.This creates real issues of foreseeability for service 
users. Rather than the PSC being any kind of enabler for the purpose of accessing public services 
(other than social welfare services and free travel), it can in fact operate as an impediment to 
accessing public services. 

A further issue identified in the course of the investigation relates to another of the purported 
benefits of the project, namely, the idea that use of the PSC will ensure that public bodies 
generally are operating from the same data-set for each individual citizen. In practice, however, 
this is not the case. Specifically, in cases where a person interfaces with one particular public 
body and, in the context of that same transaction, updates or changes their home address, this 
may not in fact result in their address being updated on the SAFE 2/PSI register. This being so, 
an individual may wrongly assume that, simply by updating their address with one public body 
by means of the PSC, that information will be updated globally within the public system as part 
of the purported benefits of using the card. This leaves individuals in a position where they do 
not know - and cannot know - what the up-to-date position is in relation to basic personal 


^ See question on what bodies will require SAFE 2 to utilise their services - https://psc.gov.ie/questions/ 

“ https://www.schooltransportappeals.ie/ 

It would seem noteworthy that some of these mandatory "requirements" to produce a PSC were introduced after 
the Comptroller and Auditor General's "Report on the Accounts of the Public Services 2015", which addressed roll¬ 
out of the PSC at Chapter 10 
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identity data held about them by the State. This could cause or contribute to very basic and very 
practical difficulties where, for example, correspondence is issued to a former address^^. 
Beyond that, however, this very simple example underscores the fact that certain of the benefits 
said to be associated with the roll-out of the PSC project are, in truth, illusory, because the 
infrastructure necessary to unlock them is not in place. As a matter of principle, the idea that 
the project is based on justifications, at least some of which are illusory, is hugely concerning, 
not least because it means that a large-scale project being rolled out by the State and which, by 
definition, involves interference with the data protection rights of individual citizens, cannot be 
said to be founded on a credible and sustainable legal basis, consistent with applicable legal 
requirements. 

High-level findings of this Investigation 

Three key findings of this investigation are: 

1. There is no lawful basis on which DEASP can rely to SAFE 2-register and issue PSCs to 
persons required to obtain a PSC in order to transact with a public body other than the 
DEASP . While this report is addressed to DEASP, as the relevant data controller, the 
corollary of this finding is that bodies other than DEASP cannot insist that a person who 
does not already hold a PSC must obtain one. 

2. The DEASP has not complied with the data retention principle, insofar that it keeps all 
of the supporting documentation it collects in the course of SAFE registration and 
issuing a PSC (for example, utility bills) for longer than is necessary. 

3. The DEASP has not delivered sufficient transparency to the public in terms of what 
personal data it processes in the context of SAFE 2/PSC, for example, how that data is 
updated and shared with other public sector bodies for the purposes of decision¬ 
making. 


On foot of these findings, the DPC will require the DEASP to cease SAFE 2/PSC registrations other 
than in cases where a person is transacting with the DEASP for the purpose of social welfare 
claims or benefits. DPC will also require the deletion of all supporting documentation previously 
collected for SAFE 2 registrations (and the deletion of any documentation that may be collected 
in connection with any PSC that may issue at any future date). Finally, the DPC will require the 
DEASP to remedy a number of deficits in its provision of information to the public in connection 
with the discharge of its obligations under transparency principles laid down in data protection 
legislation. 

This report and findings are the first of two finalised reports and decisions on the PSC project 
that will issue to the DEASP in 2019. A further report will shortly make provisional findings to 
the DEASP, including matters relating to data security; arithmetic template generation (and 
associated processing of personal data) for SAFE 2 and the PSC; and in relation to the DEASP's 


https://www.theiournal.ie/readme/psc-rollout-3654500-0ct2017/ 

https://www.irishtimes.com/business/technologv/want-to-enter-a-kafkaesque-nightmare-trv-using-vour-public- 

services-card-1.3752687 
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processing of personal data generated in connection with the use of the free travel variant of 
the PSC. Once the DPC has considered any final submissions of DEASP in relation to that second 
report, it will finalise its report and decision on those particular issues. 

A series of further related issues remain to be examined at a future date, including the "Single 
Customer View" and "MyGovID" projects. The DPC is presently considering how best to 
approach that body of further work. 

Implications for the public 

Nothing in the findings made by DPC impacts the validity or use by individuals of PSCs already 
issued. Likewise, nothing in the findings impacts existing free travel users or prevents DEASP 
from processing and issuing further free travel variants of the PSC. 

On foot of the findings in this present report, the DPC will require the cessation of the issuing 
of new PSCs where they are required by a public body other than by DEASP itself. In that regard, 
the DPC investigation finds that the Social Welfare Consolidation Act of 2005 does not provide 
a legal basis for bodies other than DEASP to compel an individual to procure and produce a PSC. 
Bodies which have made it mandatory for the provision of service that an individual procures 
and produces a PSC will be required to amend their procedures and accept other forms of 
identity verification if an individual does not have a PSC. This includes bodies other than DEASP 
that have made access to their service conditional on an individual signing up for a verified 
MyGovID account which in turn mandatorily requires the PSC. 


Elelen Dixon 

Commissioner for Data Protection 
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SUMMARY OF FINDINGS UNDER THE ACTS 


Finding 

number 

Part in 
Report 

Finding 

1 

Part 3.2 

FINDING 1 

THE DATA PROTECTION COMMISSION FINDS THAT ARISING FROM THE 

COMBINATION OF SECTIONS 241(l)(b), 242(4) AND 263(1) OF THE SWCA 
2005, THERE IS A LEGAL BASIS UNDER SECTION 2A(l)(c)(ii), (ill) AND (iv) 
OF THE ACTS FOR DEASP TO PROCESS CERTAIN PERSONAL DATA, (AS 
DESCRIBED AT PARAGRAPHS 175 TO 176) BY WAY OF SAFE 2 

REGISTRATION AND THE ISSUING OF A PSC FOR THE PURPOSE OF 

AUTHENTICATING THE IDENTITY OF A PERSON CLAIMING, PRESENTING 

FOR OR RECEIVING A BENEFIT. 

2 

Part 3.3 

FINDING 2 

IN THE CONTEXT OF WHETHER THERE IS A LEGAL BASIS FOR THE 

PROCESSING OF PERSONAL DATA CARRIED OUT BY DEASP IN RESPECT 

OF PERSONS ENGAGING IN A TRANSACTION WITH A SPECIFIED BODY 

OTHER THAN DEASP (THE "SPECIFIED BODY"), THE DPC'S CONCLUSIONS 

ARE AS FOLLOWS. 

(A) IN RELATION TO THE EFFECT AND MEANING OF SECTION 263(3) 

OF THE SWCA 2005: 

(1) SECTION 263(3) DOES NOT CONFER A POWER ON THE SPECIFIED 

BODY TO INSIST UPON PRODUCTION OF A PSC FOR THE 

PURPOSE OF A TRANSACTION WITH IT WHERE A PERSON DOES 

NOT ALREADY HAVE A PSC; 

(2) UNDER THE SWCA 2005 THERE IS NO LEGAL REQUIREMENT ON 

A PERSON SEEKING TO ENGAGE IN A TRANSACTION WITH THE 

SPECIFIED BODY TO SUBMIT TO HAVING THEIR PERSONAL 

DATA PROCESSED BY DEASP FOR THE PURPOSES OF SAFE 2 

REGISTRATION AND THE ISSUING OF A PSC; 

(3) THE SPECIFIED BODY CANNOT REFUSE TO ENGAGE IN A 

TRANSACTION WITH A PERSON WHO DOES NOT HAVE A PSC 

AND WHO DOES NOT OBTAIN ONE. 

(B) BASED ON THE FINDINGS AT PARAGRAPH (A) ABOVE, THE DPC 
IS NOT SATISFIED THAT THERE IS LEGAL BASIS UNDER SECTION 
263 SWCA 2005 OR OTHERWISE UNDER THE SWCA 2005, FOR 
THE PURPOSES OF SECTION 2A(l)(c)(ii), (ill) OR (iv) OF THE ACTS, 
OR OTHERWISE UNDER THE ACTS, FOR PROCESSING CARRIED 
OUT BY DEASP FOR SAFE 2 REGISTRATION AND THE ISSUING OF 

PSCS IN CIRCUMSTANCES WHERE THE SPECIFIED BODY HAS 
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SOUGHT TO COMPEL THE PRODUCTION OF A PSC, BY A PERSON 
WHO DOES NOT ALREADY HAVE ONE, FOR THE PURPOSES OF A 
TRANSACTION WITH THE SPECIFIED BODY. ACCORDINGLY, IN 
THE CIRCUMSTANCES OF SUCH PROCESSING, THE DPC 
CONSIDERS THAT DEASP IS IN CONTRAVENTION OF ITS 
OBLIGATION UNDER SECTION 2A(1) OF THE ACTS. 

3 

Part 3.6 

FINDING 3 

THE DATA PROTECTION COMMISSION FINDS THAT THE BLANKET, 

INDEFINITE RETENTION OF PERSONAL DATA CONSISTING OF 

DOCUMENTS AND INFORMATION (OTHER THAN THE APPLICANT'S 
PHOTOGRAPH AND SIGNATURE) WHICH ARE ORIGINALLY COLLECTED 

FOR THE PURPOSES OF IDENTITY AUTHENTICATION IN THE CONTEXT OF 

SAFE 2 REGISTRATION IS IN CONTRAVENTION OF DEASP'S OBLIGATIONS 

UNDER SECTION 2(l)(c)(iv) OF THE ACTS. 

4 

Part 4.3 

FINDING 4 

THE DATA PROTECTION COMMISSION IS NOT SATISFIED THAT THE 

SOCIAL WELFARE CONSOLIDATION ACT 2005 ALONE PROVIDES DATA 

SUBJECTS WITH SUFFICIENT INFORMATION ON THE PSC AND SAFE 2 

REGISTRATION, PARTICULARLY WITH REGARD TO PURPOSES OF 

PROCESSING, TO MEET DEASP'S TRANSPARENCY OBLIGATIONS UNDER 

SECTION 2D OF THE ACTS. 

5 

Part 4.4 

FINDING 5 

THE DATA PROTECTION COMMISSION IS NOT SATISFIED THAT DEASP'S 

PRIVACY STATEMENT PROVIDES DATA SUBJECTS WITH SUFFICIENT 

INFORMATION IN RELATION TO PROCESSING OF PERSONAL DATA IN 

CONNECTION WITH THE ISSUE OF THE PSC AND SAFE 2 REGISTRATION TO 

MEET DEASP'S TRANSPARENCY OBLIGATIONS UNDER SECTION 2D OF 

THE ACTS. 

6 

Part 4.5 

FINDING 6 

THE DATA PROTECTION COMMISSION FINDS THAT DEASP HAS 

CONTRAVENED SECTION 2D(2)(d) OF THE ACTS, BY FAILING TO PROVIDE 

DATA SUBJECTS WITH SUFFICIENT INFORMATION CONCERNING THE 

RELEVANT POTENTIAL CONSEQUENCES FOR A PSC CARDHOLDER WHO 

FAILS TO UPDATE INFORMATION PROVIDED IN THE CONTEXT OF A SAFE 

2 REGISTRATION. 
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7 

Part 4.5 

FINDING 7 



THE DATA PROTECTION COMMISSION FINDS THAT DEASP HAS 

CONTRAVENED SECTION 2D(2)(d) OF THE ACTS, BY FAILING TO PROVIDE 

DATA SUBJECTS WITH SUFFICIENT INFORMATION CONCERNING THE 

CIRCUMSTANCES IN WHICH INFORMATION PROVIDED TO ANOTHER 

PUBLIC BODY (NOT DEASP) WILL BE PASSED TO DEASP AND USED TO 

UPDATE THE PSI DATASET. 

8 

Part 4.6 

FINDINGS 



THE DATA PROTECTION COMMISSION FINDS THAT DEASP HAS 

CONTRAVENED THE TRANSPARENCY AND FAIRNESS REQUIREMENTS OF 
SECTION 2D(2)(c) AND (d) OF THE ACTS, BY FAILING TO PROVIDE DATA 
SUBJECTS WITH SUFFICIENT INFORMATION CONCERNING THE PURPOSES 

AND JUSTIFICATION FOR INDEFINITELY RETAINING DOCUMENTS AND 

INFORMATION USED TO IDENTIFY AN INDIVIDUAL FOR THE PURPOSE OF 

INITIAL SAFE 2 REGISTRATION. 
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LIST OF ACRONYMS AND ABBREVIATIONS 


The following acronyms and abbreviations appear throughout this Report: 


the Acts Data Protection Acts 1988 and 2003 

the 2018 Act Data Protection Act 2018 

CFIMS Cogent Facial Image Management System 

Comprehensive Guide DEASP's "Comprehensive Guide to SAFE registration and the Public 
Services Card" (October 2017): 

https://www.welfare.ie/en/downloads/DEASP Comprehensive Guide 

to SAFE Registration and the PSC.pdf 

DPC Data Protection Commission (previously the Data Protection 

Commissioner prior to the entry into application of the Data Protection 
Act 2018) 

DEASP The Department of Social Welfare as established under the Ministers 

and Secretaries (Amendment) Act 1946, subsequently renamed as 
follows: 


DPER 

GDPR 


The Minister 

MyGovID 

NDLS 

PPSN 

PSC 

PSI 

SAFE 

SAFE 2 


SCV 

SWCA 2005 
SWPA 


• renamed as the Department of Social, Community and Family 
Affairs in 1997, 

• renamed as the Department of Social and Family Affairs in 

2002 , 

• renamed as the Department of Social Protection in 2010, 

• renamed as the Department of Employment Affairs and Social 
Protection in 2017 

Department of Public Expenditure and Reform 
Regulation (EU) 2016/679 of the European Parliament and of the 
Council of 27 April 2016 on the protection of natural persons with 
regard to the processing of personal data and on the free movement 
of such data, and repealing Directive 95/46/EC (General Data 
Protection Regulation) 

Minister for Employment Affairs and Social Protection 

a personal online account for accessing public services 

National Driver Licence Service 

Personal Public Service Number 

Public Services Card 

Public Services Identity 

Standard Authentication Framework Environment 
Level 2 of the SAFE framework, intended to provide “Substantial 
assurance (the minimum authentication level for issuing a Public 
Services Card)" 

Single Customer View 

Social Welfare Consolidation Act 2005 as amended 
Social Welfare and Pensions Act (multiple years) 
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PART ONE 


INTRODUCTION 
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1.1 Executive Summary 


1. This investigation report (referred to throughout as the 'report') examines the Public 
Services Card ("PSC") and the underlying Standard Authentication Framework Environment 
("SAFE" framework) which provides a standards-based registration process to authenticate 
identity. This report sets out the DPC's conclusions and findings arising from its investigation 
into the processing of personal data carried out by the Department of Employment Affairs 
and Social Protection ("DEASP") in connection with the PSC and SAFE registration. The DPC's 
investigation was conducted in accordance with Irish data protection law under the Data 
Protection Acts 1988 and 2003 (the "Acts") as this was the applicable law in place at the 
time this investigation was commenced on 27 October 2017.^^ 

2. This report does not comment on the actual Government policy of introducing an identity 
card that is national in scale and using a specific form of registration within the State. Such 
a policy matter is one that is entirely for Government. The report however does make 
specific findings under the Acts in relation to the processing carried out in the context of 
compelling exclusive use of the PSC in order to avail of certain State services. 

3. The introduction of the PSC has implications for all members of the public in terms of data 
collected, required, stored and shared. This report considers the clarity of the message 
from the sponsoring Government department, DEASP, in terms of providing a rationale for 
the PSC and setting out the means and purpose for the collection and processing of personal 
data in connection with it. This report specifically examines whether there is a legal basis 
for such processing of personal data by DEASP in connection with the issuing of the PSC and 
the accompanying SAFE registration process. The transparency of information provided to 
data subjects in relation to such processing is also considered in this report. 

Summary of the DPC's findings on legal basis and transparency 

4. Ultimately, this report identifies that there are significant gaps in the purported legal basis 
under data protection law for the processing of personal data by DEASP in connection with 
the PSC. A particularly significant finding of this report is that there is no legal basis under 
the Acts for DEASP to process personal data for the purposes of identity authentication of 
persons conducting transactions with public bodies other than DEASP. Flowever the DPC 
has found that there is a legal basis under the Acts for DEASP to process the personal data 
of people who are claiming benefits from DEASP. 

5. The DPC has also found that the indefinite, blanket retention by DEASP of certain 
documentation and information collected during the SAFE registration process contravenes 
the principle that personal data shall not be kept for longer than is necessary. 


See further explanations below at Part 1.7.2 which explain how the Data Protection Act 2018 provides for an existing 
investigation under the Acts to be completed under the Acts notwithstanding that the Data Protection Act 2018 
entered into application to give further effect to the GDPR on 25 May 2018. 
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6 . 


In relation to its examination of DEASP's compliance with its transparency obligations 
concerning the personal data processing which it carries out in connection with SAFE 
registration and the PSC, the DPC has found that, contrary to DEASP's obligations under the 
Acts, there is a serious deficit of information provided to the public concerning the 
processing in question. 

1.2 Conduct of this investigation 

7. DPC's investigation into the processing of personal data by DEASP in respect of the PSC 
commenced on 27 October 2017 under the Acts which formed the applicable data 
protection legal framework at that time.^'^ In commencing the investigation, the DPC issued 
over 50 queries to DEASP on the matters under investigation. The scope of the investigation 
was stated to cover the following matters: 

• The SAFE registration process, 

• The Public Services Identity ("PSI") dataset, 

• The Single Customer View ("SCV") database; and 

• The MyGovID account facility. 

8. DEASP submitted its response to these questions on 6 December 2017, followed by further 
submissions received on 8 January 2018 in response to more detailed questions posed by 
the DPC on the security of the PSC. On 30 January 2018, the DPC notified DEASP of its 
intention, given the extensive range of issues captured, to split the investigation into two 
modules, with the first module dealing with the PSC, specifically the issues of (i) the legal 
basis for processing personal data in connection with the PSC; (ii) security measures in 
relation to processing operations in connection with the PSC; and (iii) transparency of 
information provided in relation to processing personal data in connection with the PSC 
(the "Module 1 Matters"). The DPC indicated that its intention was that the second module 
would focus on an examination of the Single Customer View (SCV), MyGovID and the PSI 
dataset (the "Module 2 Matters") and that investigative work on the Module 2 Matters 
would take place during February and March 2018. Elowever, due to the scale of the work 
involved in the Module 1 Matters, that work continued until 28 August 2018. 

9. On 28 August 2018 the DPC issued a confidential draft investigation report to DEASP on the 
Module 1 Matters (the "Draft Report"). The Draft Report included 13 provisional findings as 
well as 17 requests for further information from DEASP. In respect of each such request, 
the DPC reserved its position to make a finding pending the receipt of the further 
information which had been requested from DEASP. The DPC sought DEASP's responses to 
the requests for further information and any other submissions from DEASP on the Draft 
Report within one month. In the DPC's covering letter of 28 August 2018, it also informed 
DEASP that due to the ongoing work on the Module 1 Matters that work on the Module 2 
Matters had not yet commenced. As the GDPR and the Data Protection 2018 (the "2018 


i'* See further explanation below at Part 1.7.2. 
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Act") had since entered into application, replacing the Acts, the DPC informed DEASP that 
it did not consider that it would be in the public interest or the interest of data subjects in 
the State generally for the DPC to conduct its investigation into the Module 2 Matters under 
the Acts, given that the Acts no longer applied. The DPC therefore informed DEASP that it 
was proposing, once the investigation into the Module 1 Matters had concluded with the 
delivery of the DPC's finalised report to DEASP, that the investigation commenced by notice 
of 27 October 2017 under the Acts would be deemed to have been completed. The DPC 
also informed DEASP that it proposed to commence an 'own volition' inquiry under section 
110 of the 2018 Act into the Module 2 Matters. 

10. In its letter to DEASP of 28 August 2018, the DPC also clarified that while the investigation 
and underlying analysis set out in the Draft Report had been conducted by reference to the 
Acts rather than the GDPR and the 2018 Act, the factual position as regards the processing 
of personal data by DEASP in connection with the PSC had been analysed up to 20 August 
2018 . The DPC explained that the reason for this approach was that Section 8(3)^^ of the 
2018 Act specifically requires that the Acts (rather than the GDPR and/or the 2018 Act) are 
applied in the context of an investigation commenced prior to 25 May 2018 but not 
completed until after that date.“ 

11. On 3 September 2018, DEASP wrote to the DPC confirming that it had no objections to the 
Module 2 Matters being investigated by reference to the GDPR. The principal purpose of 
that correspondence however was to seek an extension for a further 2 months (i.e. to 28 
November 2018) and to also notify the DPC that DEASP considered it necessary to share the 
DPC's Draft Report with the Department of Public Expenditure and Reform ("DPER") so that 
DEASP could comprehensively respond to the issues raised in the Draft Report. The DPC 
replied on 7 September 2018 agreeing to give DEASP a shorter extension up to 31 October 
2018. The DPC also stated that it was not objecting to DEASP sharing the Draft Report with 
DPER but sought further information on why DEASP considered this necessary.DEASP 
replied on 10 September 2018 stating that it would do its best to meet the deadline of 31 
October 2018. It also stated that it was necessary to share the Draft Report with DPER as 
DPER had "policy responsibility for developing and implementing an ICT strategy for the Irish 
public service, while delivering new innovative digital services and enhancing the use of the 
Government's information assets... [which] includes the PSC/SAFE programme". 

12. On 18 October 2018, DEASP wrote to the DPC stating that it would not be in a position to 
meet the deadline of 31 October 2018 and stating that DEASP intended to send its response 
to the DPC by 30 November 2018. The letter stated that this time was necessary to afford 
DEASP fair procedures and that if the DPC proceeded to finalise the Draft Report prior to 
that date, DEASP would consider other options including the possibility of legal proceedings. 
On 26 October 2018, the DPC responded agreeing to one further extension and stating that 


Section 8(3), 2018 Act - '(3) An investigation under section 10 of the Act of 1988 that was begun but not completed 
before the commencement of this section shall be completed in accordance with that Act and that Act shall apply to 
such an investigation.' 

See further explanation at Part 1.7.2. 

It should be noted that for the purposes of this report, the DPC has not analysed whether DEASP and DPER may be 
joint controllers in relation to personal data processed by DEASP in connection with SAFE registration and the PSC. 
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the threat of legal proceedings was unwarranted in circumstances where the DPC had 
already provided an extension of a month. 

13. On 30 November 2018, DEASP sent its response to the Draft Report to the DPC. This 
included responses to the 13 provisional findings and the 17 requests for information. The 
response comprised of 470 scanned pages^® (un-paginated), including 28 appendices. 
Following a request from the DPC, the DEASP subsequently sent a searchable version of its 
response by way of five different PDF files. 

14. During the period between December 2018 and August 2019, the DPC revised the Draft 
Report, insofar as it concerned the legal basis for processing and transparency in relation to 
processing in connection with the PSC. In preparing this finalised version of the report, the 
DPC took careful account of the responses and further information which had been 
provided by DEASP on those issues. This report therefore sets out the DPC's conclusions and 
findings relating to DEASP's compliance with the legal basis and transparency obligations 
under the Acts insofar as concerns the processing carried out by DEASP in connection with 
SAFE registration and the PSC. 

15. The DPC is continuing to prepare a further revised draft report which deals with the issues 
of security of processing and facial matching processing by DEASP in connection with the 
PSC and specific use cases of the PSC . This revised draft report will contain provisional 
findings on these matters arising from DEASP's responses from 30 November 2018 to 
certain of the requests for further information (which were set out in the DPC's Draft Report 
which issued on 28 August 2018). That revised draft report will then be issued to DEASP so 
that it has an opportunity to comment on those provisional findings. Thereafter the DPC 
will take account of any responses/ submissions from DEASP and finalise its report on 
DEASP's compliance with its obligations under the Acts relating to security of processing, 
facial matching processing and use cases in connection with the PSC. 

16. As noted, the DPC has previously informed DEASP that issues regarding DEASP's compliance 
with its obligations under the GDPR and the 2018 Act in relation to data processing carried 
out in connection with the SCV, the PSI dataset and MyGovID remain to be examined by the 
DPC. The DPC is presently considering how best to approach that body of further work. 


1.3 Background to the PSC 

17. The PSC is the culmination of a project commenced by Government over 20 years ago. The 
initial intention was to introduce a physical token to be used in high-value card-based 
transactions between citizens and the State.“This token was not intended to be an identity 


DEASP's response included 160 of submissions on the Draft Report and responses to the DPC's Requests for Further 
Information, while the remainder consisted of supporting documentation 

Comptroller and Auditor General Special Report, eGovernment, October 2007, 
http://www.audgen.gov.ie/documents/vfmreports/58 eGovernment.pdf 
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card and, as set out in legislation, was not intended to include a photo on its face. The card 
was to have secure electronic chip features to store data safely and to enable it to be read 
by specific devices at government agencies or by pocket readers where remote 
authentication was required. 

18. The Government made Decisions in 2004 and 2005 approving the development of a 
standards based framework for the PSC and approving the use of the PSC and compulsory 
compliance with SAFE standards.“ SAFE has a number of levels, each reflecting a level of 
assurance as to identity (see below at paragraph 171). SAFE 2 is the standard (substantial 
assurance as to identity) to which the PSC, as a token of SAFE registration, is produced. The 
SAFE framework is not an international standard and is not specifically referred to by name/ 
acronym in any legislation. 

19. A further Government Decision in 2013 confirmed the Government's intention to ensure 
the use of the PSC to access all appropriate government services.This broadened the 
scope of the intended use of the PSC considerably so that the SAFE 2 standard was to be 
used not only to authenticate identity for accessing benefits and services from DEASP, but 
also for accessing services from other specified bodies outside the field of employment and 
social protection (e.g. the issuing of driving licences and passports).As will be seen from 
the discussions of the DEASP's position later in this report, DEASP maintain that the 
legislation allowing for the roll-out of the PSC was already in place dating back to 1998.^^ 

20. While DEASP maintain that it is not compulsory for a person to have a PSC simply by virtue 
of being resident in the State, the right of individual residents to access an ever-increasing 
range of public services has, in effect, been made conditional upon production of a PSC as 
will be seen from this report. These requirements by public sector bodies to produce a PSC 
to the exclusion of alternative ways to authenticate identity, have led to public criticism that 
compulsion (to obtain a PSC) has been achieved because citizens, by necessity, need to 
interact with State agencies in order to access benefits and services. 

21. DEASP objects to the DPC's statement that there has been public criticism and sought for 
this statement to be removed from the final report, on the basis that there is "no evidence 
of public unrest or dissatisfaction with the SAFE process/PSC" Flowever, the DPC considers 
that such criticisms concerning the use of the PSC have been well documented in 
newspaper reports, civil society reports and Oireachtas reports. 


20 Government Decisions S290/05/25/0025, 29 J u ne, 2004 a nd S/290/05/0025 6 J u ly, 2005. 

22 Government Decision S180/20/10/1789, 18 September, 2013. 

22 See for example, Department of Foreign Affairs and Trade, Public Service Card, https://www.dfa.ie/passports- 
citizenship/top-passport-questions/public-services-card/ 

22 See for example DEASP's Response to Draft Report at Part 1, paragraph 30: "On the contrary, powers to require 
identity registration/ authentication and issue PSCs were already in place prior to 2013 and as noted by the ODPC in 
its 2010 annual report, it was anticipated that use of the PSC would become universal [...] The power provided in the 
2013 Act [...] did not create the power to require a PSC for the purposes of a transaction. That power was already in 
place dating back to 1998". 

2'* DEASP's Response to the Draft Report, Part l.ll paragraph 16. 

22 See for example a selection of newspaper articles, civil society reports and Oireachtas debates highlighting 
dissatisfaction with the PSC; 

• Irish Times, "Wary of the Public Services Card? You have good reason to be", 11 January 2018, 
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22 . 


The DPC's position is that there is no single, standalone piece of legislation underpinning 
the PSC. Instead, there are multiple pieces of primary legislation and statutory 
instruments^® setting out laws governing aspects of the PSC. In the Draft Report, the DPC 
stated that amendments to legislation in this area have been effected in a "piece-meal 
fashion to match periodic shifts in policy" and that in this respect, the public has been left 
to search through the Social Welfare Consolidation Act 2005 ("SWCA 2005") and a 
patchwork of successive amendments to find a legislative basis for the PSC, as functionality 
for the PSC has evolved to include access to many government services. However DEASP 
objects to the DPC's use of such language in this regard (i.e. to describe the evolution of the 
SWCA 2005) and considers that it is "pejorative and sensationalist" and that DEASP states 
that the SWCA 2005 is single piece of legislation that underpins the PSC and which has been 
amended through standard legislative practice.However the DPC considers that its own 


• Irish Times, "Want to enter a Kafkaesque nightmare? Try using your Public Services Card", 10 January 
2019, 

• Irish Times, "Government seeks expert support for public services card project" 6 January 2018, 

• Irish Times, "Rights group to outline 'grave concerns' over public services card", 8 February 2018, 

• Irish Times, "Public services card carries 'big risk', says UN poverty envoy", 29 July 2019, 

• Irish Times, "Over 450 have welfare suspended for not registering for public services card" 22 February 
2018, 

• Independent, "Explainer: The latest you need to know about the controversial Public Services Card" 

30 August 2017, 

• Independent, "Public Services Card crisis widens - now card will be needed for new benefits", 

• Irish Examiner, "Growing concern over amount of personal data on Public Services Card", 30 October 
2017, 

• Irish Examiner, "Data protection experts warn new Public Services Card could lead to identity theft", 

31 August 2017, 

• Irish Examiner, "Public service card debate; 'It's being done secretly, and by stealth", 29 August 2017, 

• The Journal.ie, "We were bad, what Ireland is doing is 10 times worse' - International experts 
unimpressed with Public Services Card", 12 October 2017, 

• The Journal.ie, "Stopped welfare payments and getting a passport abroad - the Irish haven't been shy 
complaining about the PSC", 16 October 2017, 

• The Journal.ie, "Flave you tried actually applying for something with the Public Services Card? It's a 
painful experience", 21 October 2017, 

• The Journal.ie, "There were fears the PSC would become a "de facto" national ID card from the very 
outset", 17 December 2017, 

• The Journal.ie, "I've had to tell more people in the last few months than in my entire life' - Man denied 
Public Services Card because he's adopted" 6 November 2017, 

• The Journal.ie, ""It is the worst form of humiliation" - Woman denied Public Services Card due to 
adopted status", 21 January 2018, 

• The Journal.ie, "'The deeper I go, the more concern I have' - Department of Transport worried over 
'exposure' due to mandatory PSC, 5 January 2018, 

• Irish Council for Civil Liberties, "Submission to Joint Committee on Employment Affairs and Social 
Protection The Public Services Card", 6 February 2018, 

• Joint Committee on Employment Affairs and Social Protection debate; Public Services Card: 
Discussion, 8 February 2018, 

• Joint Committee on Employment Affairs and Social Protection debate; Public Services Card: Discussion 
(Resumed), 22 Eebruary 2018, 

• Dail Eireann debate. Public Services Card - Tuesday, 26 Sep 2017, 

• Dail Eireann debate - Public Services Card, Thursday, 9 Nov 2017. 

Certain provisions relating to the PSC have been amended by way of SI - for example. Schedule 5 which sets out the 
specified bodies - has been amended by way of an S.l. such as S.l. No. 344/2019 - Social Welfare Consolidation Act 
2005 (Specified Bodies) Regulations 2019. Furthermore, certain bodies were added byway of an Act but commenced 
by way of an S.i. e.g. S.i. No. 410/2015 - Workplace Relations Act 2015 (Commencement) (No. 2) Order 2015. 
DEASP's Response to Draft Report at Part 1, paragraph 11 
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analysis of the legislation (for example as set out in Parts 1.6 and 4.3) bear out the DPC's 
comments in this regard. 

23. Implementation of the SAFE registration infrastructure took place between 2005 and 2011, 
providing DEASP with an opportunity prior to the roll out of the first PSC in October 2011, 
to engage in a meaningful way with the public in order to demonstrate why the PSC was a 
necessary and proportionate measure to meet a public interest objective. That this 
opportunity was missed is surprising, given the unprecedented nature of the PSC project 
and the likelihood that it could impact the fundamental rights and freedoms of all 
individuals in the State in relation to the protection of their personal data. 

24. The Comptroller and Auditor General ("C & AG") published its annual report for 2016 which 
included a chapter on the "Roll out of the Public Services Card", concluding that there was 
an absence of a single business case document at the inception of the PSC project and that 
it was not evident that a comprehensive risk evaluation had been conducted. The report 
also concluded that the Government made a number of decisions in 2004 and 2005 which 
formed the basis for the PSC, and no business case, which should qualify and compare the 
costs of a project against the expected benefits, was developed at that time.^® The C&AG 
Report on the Accounts of the Public Services 2015 noted that the Accounting Officer for 
DEASP was of the view "that while a business case had not been developed, the project has 
been coherently planned and implemented in conjunction with DPER and with the support 
of relevant decision makers and stakeholders" DEASP contend that the C & AG found that 
although there was no single business case, virtually all of the individual components of a 
business case were in existence.The C & AG report also noted that the original 2009 
contract between DEASP and the contractor engaged for the production of the cards was 
based upon 3 million cards being issued by the end of 2013.^^ This was not achieved and by 
the end of June 2016 only 2.06 million cards had been produced.A renegotiation of the 
contract occurred in 2016 raising the price per card from €4.96 to €5.37,^^ and providing 
for the advance payment of 50% of the cost of the outstanding balance of the 3 million 
cards with the costs of the cards produced in 2017 to be deducted from the advance. It also 
provided that should the target of 3 million cards not be reached by the end of 2017 then 


Office of the Comptroller and Auditor General, '2015 Annual Report, Chapter 10: 'Roll-out of the Public Services Card' 
Report on the Account of the public services 2015. 
http://www.audgen.gov.ie/documents/annualreports/2015/report/en/Chapterl0.pdf 

Office of the Comptroller and Auditor General, '2015 Annual Report, Chapter 10: 'Roll-out of the Public Services Card' 
Report on the Account of the public services 2015. Paragraph 10.54. 

DEASP's Response to Draft Report at Part 1, paragraph 12. The DPC however notes that the C & AG report refers to 
the "omissions or partially addressed matters" at paragraph 10.18 Office of the Comptroller and Auditor General, 
'2015 Annual Report, Chapter 10: 'Roll-out of the Public Services Card' Report on the Account of the public services 
2015, http://www.audgen.gov.ie/documents/annualreports/2015/report/en/Chapterl0.pdf 
C & AG report at paragraph 10.12 and 10.50 - Office of the Comptroller and Auditor General, '2015 Annual Report, 
Chapter 10: 'Roll-out of the Public Services Card' Report on the Account of the public services 2015,. 
http://www.audgen.gov.ie/documents/annualreports/2015/report/en/Chapterl0.pdf 
33 C & AG report at paragraph 10.13 and 10.50 - Office of the Comptroller and Auditor General, '2015 Annual Report, 
Chapter 10: 'Roll-out of the Public Services Card' Report on the Account of the public services 2015,. 
http://www.audgen.gov.ie/documents/annualreports/2015/report/en/Chapterl0.pdf 
33 C & AG report at Figure 10.5 - Office of the Comptroller and Auditor General, '2015 Annual Report, Chapter 10: 'Roll¬ 
out of the Public Services Card' Report on the Account of the public services 2015, 
http://www.audgen.gov.ie/documents/annualreports/2015/report/en/Chapterl0.pdf 
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the costs of the cards not produced would become payable in full.The C & AG report also 
noted in its conclusions that DEASP expected that the target of 3 million cards would be 
delivered by the end of 2017. The DPC notes however that according to statements made 
in the Dail (in response to parliamentary questions) in March 2018, the total number of 
PSCs issued by that point was 2.65 million.According to further statements made in Dail 
debates in February 2019,^® by then 3.2 million PSCs had been issued. 

25. In light of the fact that SAFE 2 registration is undertaken exclusively by DEASP, the DPC's 
view, as expressed in the Draft Report, is that this gives rise to the building of "something 
close to a central register of citizens". Elowever, the DPC notes that DEASP objects to this 
characterisation on the basis that it is "false and alarmist"; that a central register would 
require that all citizens, irrespective of age were recorded on a register; and that the PSC 
system is clearly not such a central register.®^ Notwithstanding DEASP's objections in this 
regard, the DPC considers that in circumstances where, as noted above, as of February 
2019, 3.2 million people had SAFE registered to obtain a PSC,®® and the personal data 
collected as a result of such registration - consisting of not only the PSI dataset but the 
underlying identity authentication documentation is held centrally and indefinitely by 
DEASP - (see discussion of such issues at Part 3.6), the characterisation of this being 
"something close to a central register of citizens" is fair. 

26. While the Road Safety Authority in August 2018 backtracked in relation to its previous 
position that the PSC is required in order to validate one's identity in the application process 
for a driving licence and to sit a driver theory test,®® the position with other public sector 
bodies, such as, for example, the Department of Foreign Affairs for certain categories of 


C & AG report at paragraph 10.28 - Office of the Comptroller and Auditor General, '2015 Annual Report, Chapter 10: 
'Roll-out of the Public Services Card' Report on the Account of the public services 2015,. 
http://www.audgen.gov.ie/documents/annualreports/2015/report/en/Chapterl0.pdf 

Response to parliamentary question 10839/18, 8 March 2018 which stated that over 2.65 million people had been 
SAFE registered to date - https://www.oireachtas.ie/en/debates/question/2018-03-08/544/ 

See Dail debates on the Public Services Card, 19 February 2019 

https://www.Oireachtas. ie/en/debates/debate/dail/2019-02-19/18/#s21 

DEASP's Response to Draft Report at Part 1, paragraph 16 

See Dail debates on the Public Services Card, 19 February 2019 

https://www.Oireachtas.ie/en/debates/debate/dail/2019-02-19/18/#s21 

Irish Examiner, U-turnon use of pubiic services card for driving licence may cost millions, 17 May 2018, available here 
https://www.irishexaminer.com/ireland/u-turn-on-use-of-public-services-card-for-driving-licence-mav-cost- 

millions-470758.html and see also Driver Theory Test, ID Policy Update, https://www.theorytest.ie/driver-theory- 
test/id-policy-update/, accessed 20 August 2018. The DPC also notes that the Minister for Transport, Tourism and 
Sport, in response to a Parliamentary Question (question 503) dated 11 July 2018 stated "It is Government policy to 
integrate the Public Services Card (PSC) into all public service provision. In line with this poiicy, I amended regulations 
earlier this year to aliow the PSC to be used as an optional but not mandatory form of identity in applications for 
driving licences. The Road Safety Authority, which is responsible for the driver theory test, has required a PSC as a 
form of identity since June of 2017. However, i understand that the Authority is also going to accept passports as a 
form of ID, although changing procedures means that this cannot happen immediately. My Department sought legal 
advice from the Office of the Attorney General at various stages of this process. [...]" The SI referred to is S.l. No. 
98/2018 - Road Traffic (Licensing of Drivers) (Amendment) Regulations 2018. This made the PSC one of a number of 
identifying documents that could be presented. 
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individuals applying for a passport/° and the Department of Justice and Equality when 
applying for citizenship remains unchanged.'^^ 

27. Clarification provided by DEASP that not all of those persons issued with the PSC have gone 
through the normal SAFE 2 registration process highlights a further concern in terms of why 
certain requirements for personal data collection are imposed on some individuals but not 
others."^^ In some cases, it appears that registration by postal process will satisfy the Minister 
as to a person's identity,indicating that DEASP are undertaking a form of risk analysis in 
relation to certain classes of PSC applicant. Attendance for SAFE 2 interview was not always 
required where there is significant mitigation of this risk. It is not fully transparent how this 
risk analysis was being conducted. 

28. The Government has in recent times proposed legislation to allow individuals to request 
their date of birth on the face of the PSC.^'^ It is also proposed to allow voluntary use of the 
PSC for providing information in respect of one's identity or date of birth to private sector 
entities. As it is currently an offence for non-specified bodies to accept the PSC as a form of 
identification, this represents a further extension in the use of the PSC beyond that of 
accessing government services.'*^ It will, however, remain an offence for a person to request 
or otherwise require a cardholder to produce a PSC unless the requester is a specified body 
carrying out a transaction in respect of the cardholder.^® 

29. In summary, and as will be demonstrated by the DPC's findings in this report, and the DPC 
concludes that the PSC project requires a coherent policy framework and a legislative 
review as well as much clearer communication with the public in order to render it 
compliant with data protection laws. 

1.4 Key definitions 


Department of Foreign Affairs and Trade, Press Release, "Passport Service announces new Measures to Combat 
Fraud and Identity Theft", 10 March 2016. 

See Department of Justice and Equality, "Form 8- Irish Nationality and Citizenship Act 1956, Application by a person 
of full age for naturalisation as an Irish citizen". 

Joint Committee on Employment Affairs and Social Protection debate. Public Services Card: Discussion (Resumed) 22 
Eebruary 2018 (see for example comments of Deputy Joan Collins) 
https://www.oireachtas.ie/en/debates/debate/ioint committee on employment affairs and social protection/2 

018-02-22/3/ . 

See for example the answer to Question 7 in the Comprehensive Guide ("Flow do people register to SAFE 2 
standard?"): "In some cases, where a customer authenticates their identity in another face-to-face engagement, the 
Department may collect elements of the PSI data by post and, with the consent of the customer, utilise existing 
photographs to complete the SAFE 2 process. This eliminates the need to attend at an Intreo centre or a dedicated 
SAFE Registration centre specifically for the purpose of registering to SAFE 2." 

Social Welfare, Pensions and Civil Registration Bill 2017, 

https://data.oireachtas.ie/ie/oireachtas/bill/2017/94/eng/initiated/b9417d.pdf. 

In DEASP's Response to the Draft Report, Part One, paragraph 17, it points out that "the provision being referred to 
would, if enacted, enable citizens to volunteer their PSC where they wish to use it as a form of proof of identity and/or 
age. Flowever, it is important to note that a non-specified body could not request or demand the production of a 
PSC. It simply gives individuals the option to use their PSC if they wish, as proof of identity and/or age, in transactions 
with non-specified bodies." 

These proposed amendments are discussed further in Part 1.8 of the Report. 


Page 25 of 172 






30. The Acts include specific definitions of key data protection terms, which inform the DPC's 
assessment of processing in connection with the PSC and SAFE registration. 

31. Under section 1 of the Acts, a "data controller" is defined as "a person who, either alone or 
with others, controls the contents and use of personal data". The term "personal data" 
includes data relating to a living individual who is or can be identified from the data. The 
term "processing" with regard to data is defined broadly as "performing any operation or 
set of operations on the data, whether or not by automatic means". Processing includes 
"disclosing the information or data by transmitting, disseminating or otherwise making it 
available". 

32. Section 1(3) of the Acts provides that certain officials may be designated as the data 
controller on behalf of state authorities. At the time of delivery of the DPC's Draft Report in 
August 2018, the Secretary General of DEASP was the designated data controller. (This 
position was recorded in a statement on DEASP's website at that time titled "Data 
Protection in the Department of Employment Affairs and Social Protection" which was 
noted to have been last modified in May 2018'^^). Flowever, the DPC notes that the current 
version of DEASP's Privacy Policy (April 2019 version'^®) does not refer to such a designation 
and states at Section 1.1 that DEASP is the data controller. The DPC does not have any 
information as to exactly when the Secretary General's designation as data controller for 
DEASP may have been revoked. In any event, the DPC has proceeded for the purposes of 
this report, on the basis that there is now no official designated as the data controller for 
DEASP, and that DEASP itself is the controller. 

33. The PSC is a card that is intended to be issued to individuals and to be used as a means of 
verifying identity when collecting welfare payments and using services funded by DEASP 
and other providers of public services. 

1.5 The History of the PSC 

34. The origins of the PSC can be traced to an Interdepartmental Report from 1996 which 
focused on the development of an Integrated Social Services System (ISSS) to provide a 
more integrated approach to the administration, delivery, management and control of 
statutory income support services.'*® The report focused upon, amongst other things, the 
use and future development of the then Social Services Card“ recommending its 


The statement recorded that: "The Data Controller for the Department is the Secretary General. The area nominated 
to carry out the functions of the Data Controller in the Department is the Business Information Security Unit (BlSU) 
whose contact details are given below." 

http://www.welfare.ie/en/Pages/disclaimer.aspx# Toc514857389 

Department of Employment Affairs and Social Protection, Inter-Departmental Report On The Development Of An 
Integrated Social Services System August 1996, http://www.welfare.ie/en/Pages/lnter-Departmental-Report-On- 
The-Development-Of-An-Integrate.aspx 

The Social Services Card was a standard plastic card which had a magnetic stripe and a signature stripe. The Social 
Services Card contained the person's name. Primary Account Number (PAN), RSI number and a card number. The 
magnetic stripe stored the PAN, the person's date of birth and sex. 
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expansion/^ consideration for the inclusion of a photograph on the card/^ as well as the 
development of an infrastructure and to set up national standards^^ for smart card 
technology to deliver services. 

35. The REACH project/^ which was born out of those recommendations, continued this 
momentum by further exploring these recommendations to develop a smart card which 
would act as a common gateway to government services, with the intention being that 
information which is sent to one government agency could be shared between agencies in 
a central database, thereby minimisingduplication and delaysforthe customer.^®Together, 
these initiatives formed the basis for sections 14 and 15 of the Social Welfare Act 1998 
which became the first legislative pronunciation for the PSC, which was at that time, the 
public service [singular] card ("Public Service Card").^^ 

36. The Social Welfare Act 1998 established a framework for the development of an integrated 
approach to the administration, delivery, management and control of publicly funded 
services. It formed a basis for the standardisation of the personal public service number 
(PPSN) system, the introduction of a Public Service Card and the application of technology 
to cards to develop new methods of paying social welfare benefits via electronic means. 
The Social Welfare Act 1998 also facilitated the sharing of information between relevant 
agencies for the purpose of determining entitlement to and control of publicly funded 
schemes.^® 

37. Sections 14 and 15 provided that this Public Service Card would replace the then social 
services card, of which over 1.6 million had already been issued. The card would have the 
person's name, their PPSN and the card's primary account number visible on front and 
would contain a magnetic stripe on the back with the person's name, PPSN, date of birth 
and gender encoded. The Social Welfare Act 1998 required an individual to produce his or 
her Public Service Card at the request of a specified body forthe purposes of a transaction.“ 


To support customer identification; speed up access to social services; support new electronic payment options; 
provide secure access to personal information which would enable the person to be more easily identified which 
should provide 'faster access to social welfare services, and supports new electronic payment options being made 
available to social welfare customers'. See S. 8 of the Inter-Departmental Report On The Development Of An 
Integrated Social Services System. 

Department of Employment Affairs and Social Protection, Inter-Departmental Report On The Development Of An 
Integrated Social Services System, August 1996 http://www.welfare.ie/en/Pages/lnter-Departmental-Report-On- 
The-Development-Of-An-lntegrate.aspx#8.14 

To become known as Standards Authentication Framework Environment. 

Department of Employment Affairs and Social Protection, Inter-Departmental Report On The Development Of An 
Integrated Social Services System. 

The stated aim of the Reach project was to 'achieve improved customer service delivery through a greater integration 
of social services delivered by different departments and agencies, aided by information technology'. Committee for 
Public Management Research, Discussion Paper 11 Improving Public Services in Ireland: A Case-Study Approach, 1999, 
p. 27 http://www.cpmr.gov.ie/Discussion.aspx 

Committee for Public Management Research, Discussion Paper 11 Improving Public Services in Ireland: A Case-Study 
Approach, 1999, p. 27 http://www.cpmr.gov.ie/Discussion.aspx 

Note the Social Welfare and Pensions Act 2010 amended the name of the card substituting the Public Service Card 
for the Public Services Card. 

See Section 14 of the Social Welfare Act 1998. 

53 Ibid. 

5° Section 14 Social Welfare Act 1998. 
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38. 


The then Minister for Social, Community and Family Affairs, indicated that the PPSN would 
not become a de facto national personal identifier, but would be used for public 
administration purposes only and could be sought by the public service only when there is 
a transaction with the person. The Minister also confirmed that the Public Service Card 
which would be used for such transactions "is not and will not operate as an identity card" 

39. It is important to note that the view of the DPC at the time“ was that some difficulties could 
arise with a system, with a common file reference number, that had a capacity to bring 
together files which are compiled for totally different purposes and that adequate 
safeguards and conditions would need to be considered under which State agencies would 
be permitted to share information. 

40. A Government Decision of 2004 provided further impetus to the project by approving the 
setting up of the SAFE Programme to progress the development of a standard for a PSC.®^ 

41. The acronym SAFE stands for "Standard Authentication Framework Environment". It was 
the standard later agreed by Government in 2005 for establishing and verifying an 
individual's identity for the purposes of accessing public services. Pursuant to SAFE, public 
services (includingthe processing of passport and driver licence applications) were provided 
to persons who had their identity verified to the equivalent of SAFE Level 1 standard (i.e. 
“on the balance of probabilities"). 

42. The Government Decision of 2005,“ in noting the substantial progress made by the SAFE 
Programme, approved the following: 

(1) the development of a detailed technical specification required for procurement 
of cards supporting the establishment and authentication of identity for access 
to public services noting that the Department of Social and Family Affairs will 
develop a Public Service Card, based on SAFE and compatible with the national 
Identity Management & Privacy Protection policy, to replace the existing Social 
Welfare Card; 

(2) the use of the Public Service Card for all existing card-based schemes and new 
schemes overtime and approved compulsory compliance with relevant aspects 
of the SAFE standard in the development of such schemes; 

(3) a request to each Department/Office/Agency operating or planning to operate 
card-based schemes to develop plans to use the Public Service Card where 


Dail Eireann debate. Social Welfare Bill, 1998: Second Stage (Resumed), Wednesday, 25 Feb 1998, available here 
https://www.oireachtas.ie/en/debates/debate/dail/1998-02-25/17/ 

See, for example, remarks referring to the reservations of the "Data Protection Agency" in the Dail Eireann debates 
referenced immediately above. 

Government Decision, S290/05/25/0025, 29 June 2004. 

Government Decision, S/290/05/0025, 6 July 2005. 
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possible or to ensure compliance with relevant aspects of SAFE where use of 
the Public Service Card is not possible; and 

(4) the development of proposals for a comprehensive national Identity 
Management & Privacy Protection Policy. 

43. The C&AG Report on the Accounts of the Public Services 2015 noted that the 
Accounting Officer of DEASP was of the view "that while a business case had not been 
developed, the project has been coherently planned and implemented in conjunction 
with DPER and with the support of relevant decision makers and stakeholders" 
Flowever, a cursory review of the lengthy list of legislative amendments and policy shifts 
since 1998 (the changes from 2005 onwards, when the Social Welfare Consolidation 
Act 2005 ("SWCA 2005") took effect, are detailed below would indicate that the 
approach to the implementation of the PSC was more piecemeal and less coherent than 
suggested.®® The DPC notes DEASP's objections to the DPC's description in this regard, 
firstly on the basis that it represents a "collateral undermining of the Comptroller and 
Auditor General's view on the PSC project" and secondly, contending that this 
description is sensationalist. DESAP say that the fact that primary legislation has been 
amended over the years is not cause for alarm. It also states that "the suggestion that 
the legislation involved is somehow incoherent is a serious but underdeveloped charge 
levelled against the Oireachtas''^^ Flowever the DPC considers that in circumstances 
where, as will be seen in Part 4 of this report, DEASP relies on the SWCA 2005 itself as 
the primary source for transparency information for data subjects in relation to 
processing of their personal data in connection with the PSC, the structure of the SWCA 
2005 and its complicated legislative development is very much relevant to the DPC's 
consideration of DEASP's obligations under the Acts. 

1.5.1 Development of the Public Services Card and its purposes 

44. The SWCA 2005 reaffirmed the legislative basis for the Public Service Card as outlined in the 
1998 Act. The Explanatory Memorandum to the SWCA 2005 as a Bill outlined that the 
Minister may issue to a person a Public Service Card on which certain information, for 
example the person's name and PPSN and date of birth, are either inscribed or stored 
electronically and that a person must produce his or her Public Service Card at the request 
of a specified body for the purposes of a transaction with that body.®® 

45. The Social Welfare and Pensions Act 2007 (the "2007 Act") provided an important 
amendment (in the context of the development of the PSC and the SAFE) to the SWCA 
2005, prescribing the inclusion of a person's signature and photograph as part of the Public 


“ Office of the Comptroller and Auditor General, 'Roll-out of the Public Services Card' Report on the Account of the 
public services 2015, http://www.audgen.gov.ie/documents/annualreports/2015/report/en/Chapterl0.pdf 
Paragraph 10.54. 

See Annex 2 of Report. 

DEASP's Response to Draft Report at Part 1, at paragraphs 13,14 and 31 

Department of Social and Family Affairs, Social Welfare Consolidation Act 2005 Explanatory Guide, 
http://www.welfare.ie/en/downloads/swcact exp 05.pdf 
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Service Identity ('PSI') set and permitting the Minister for Social and Family Affairs to issue 
a card with the person's name, PPSN, photograph, signature, card issue number and expiry 
date of the card Inscribed on the card and the person's name, PPSN, date of birth, sex, all 
former surnames (if any) of the person's mother, photograph, signature and expiry date of 
the card electronically encoded on the card.^^ The purpose of the 2007 Act was to provide 
for the Department to issue the new PSC under the SAFE Level 2 standard (i.e. "a substantial 
level of assurance")7° 

46. The Social Welfare and Pensions Act 2010 (the "2010 Act") provided further amendments 
with the inclusion of new data sets to be encoded on the Public Service Card itself^^ whilst 
the Social Welfare and Pensions Act 2011 (the "2011 Act")^^ provided for the cancellation 
or surrender of a Public Service Card. 

47. The 2010 Act also amended the name of the card substituting the Public Service Card for 
the Public Services [plural] Card (i.e. the PSC).^^ 

48. The DPC's Annual Report 2010 included commentary on the PSC which stated, among other 
things, the following: 

"We have flagged the phenomenon of function and Information creep on a number 
of occasions over the past few years. We remain convinced. In light of experience 
elsewhere, that over-reliance on one form of Identity creates weaknesses In security. 
Thankfully, we are not alone In our stance on this Issue and Government policy at 
present Is that the use of the PPSN must remain narrow. 

We are concerned to ensure the card and the data stored on It are captured and 
processed In a proportionate and balanced manner. The Incremental nature of the 
roll-out of the Public Services Card Is welcome as Is the active engagement of the 
Department of Social Protection with all stakeholders Including our Office to try to 
ensure that all relevant Issues are addressed. It has already completely taken on 
board a number of points which we have made, which I very much welcome. This 
Incremental process allows the Department and organisations using the card to 
monitor Its Implementation and address any Issues that may arise In advance of the 
card's universal distribution." 

49. DEASP suggest that the DPC's comments in its 2010 Annual Report, as referenced above, 
recognise the incremental nature of the development of the SAFE process and PSC as a 
positive feature of its development. DEASP contends that it is notable that "the DPC at the 
time anticipated and did not challenge that the PSC would ultimately achieve universal 


Section 32, Social Welfare and Pensions Act 2007 which inserted new provisions into Section 262 and substituted a 
new provision for Section 263(1) SWCA 2005 

See DEASP "Comprehensive Guide to SAFE Registration and the PSC", Question 34, page 36. 

Section 9(1) SWPA 2010 replaced s. 263(1) with a new s. 263(1) and added new subsections (lA) and (IB) respectively 
detailing information to be inscribed and stored electronically. 

Section 15 SWPA 2011 inserted a new S.263A in SWCA 2005 providing for cancellation of a public services card. 

The change of name was effected by s. 9(1) SWPA 2010. It did so by substituting s. 263(1) SWCA 2005. 
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distribution".^^ The DPC rejects this misinterpretation of its comments above which clearly 
warned against "function and information creep" and the importance of engaging with all 
stakeholder in relation to such a project. These concerns around the potential for function 
creep were echoed by the DPC in its subsequent statement on the PSC in its 2011 Annual 
Report (see further below). The DPC considers that the scale of the public concern in recent 
years in relation to usage of the PSC by public bodies (as identified in paragraph 21) is 
illustrative of the type of concerns which were referred to by the DPC in both the 2010 and 
2011 Annual Reports. 

50. Despite the legislative provisions in place, the roll out of the PSC was delayed until the end 
of 2011, principally due to a deterioration in public finances. 

51. The Department of Social Protection Fraud Initiative of 2011- 2013 (the "Fraud Initiative") 
provided extra stimulus to the project.^® It indicated that the PSC would provide public 
service providers with verification of an individual's identity, thus reducing the resources 
currently required to do so each time a member of the public tries to access a public service 
while at the same time making it harder for people to use false identities. 

52. The Fraud Initiative also envisaged that other public bodies may be able to act as agents in 
the registration process for the PSC and that, in time, chip and PIN technology could be 
utilised to provide even more secure payment provision. It indicated that the PSC had been 
introduced to enable individuals to gain access to public services more efficiently and with 
a minimum of duplication of effort, while at the same time preserving their privacy to the 
maximum extent possible. This document also indicated that the PSC was designed to 
replace other cards within the public sector and to make it easy for providers of public 
services to verify the identity of customers. It was also stated that the PSC provided a higher 
and enhanced level of assurance as to identity and that it acted as a key tool in the 
prevention and detection of identity fraud. 

53. Around this time, as noted above, the DPC's Annual Report 2011 again considered the PSC 
stating, among other things, the following: 

The rollout of the new Public Services Card by the Department of Social Protection 
commenced In 2011, with the card Introduced on a phased basis to approximately 
5,000 social welfare recipients across the country. 

In 2011 my Office visited the Public Services Card personalization and distribution 
facility accompanied by officers from the Department of Social Protection and we 


DEASP's Response to the Draft Report, Part l.ll paragraph 28. 

Office of the Comptroller and Auditor General, 'Roll-out of the Public Services Card' Report on the Account of the 
public services 2015, http://www.audgen.gov.ie/documents/annualreports/2015/report/en/Chapterl0.pdf 
Paragraph 10.20 

Department of Social Protection, Department of Social Protection Fraud initiative 2011 - 2013, September 2011, 
WWW, welfare.ie/en/downloads/fraudinitiative2011.pdf 
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were satisfied on the basis of their tour that there is a strong security focus in 
evidence throughout the backend operation. 

My key concerns in relation to the Public Services Card have always been based on 
the potential for function creep' with regard to the proliferation of the PPSN and the 
potential risk that it will be seen as a de facto national identification card. 

I will continue to follow all developments associated with the Public Services Card 
very closely to ensure it is used in an appropriate manner and does not give rise to 
any data protection or identity theft concerns. 

54. The Social Welfare and Pension Act 2012 (the "2012 Act") made a number of significant 
amendments regarding the provision of information for the purpose of establishing 
identity." The Minister for Social Protection, provided the following rationale for the 
amendments: 

Welfare fraud is a serious crime and the Department of Social Protection is doing 
everything it can to crack down on people who abuse the system. It is a small number 
of people but any amount lost to fraud is significant. When high risk areas are 
identified targeted control measures are put in place to reduce the risk of fraud and 
abuse of the system. The Department has begun the phased introduction of the 
public services card with key security features, including a photograph and signature, 
which will be used to authenticate the identity of individuals. One of the advantages 
of the public services card is that it will help to reduce fraud and error which result 
from the incorrect identification of claimants. Under the existing legislative 
provisions there is no mandatory reguirement for a person to allow for his or her 
photograph and signature to be captured and reproduced in electronic format for 
purposes of a PPSN allocation, public services card and claims for social welfare 
benefits. I will be proposing a change to provide for the introduction of a new 
condition for any new claim for social welfare payment that the claimant must satisfy 
the Department as to his or her identity including allowing for electronic capture of 
photograph and slgnature.^^ 

55. A further amendment was introduced by the Social Welfare and Pensions (Miscellaneous 
Provisions) Act 2013 (the "2013 Act") whereby powers were provided to the Minister to 
disqualify an individual from receiving high value services where their identity is not 
authenticated to the Minister's satisfaction.^® (In practice the Minister requires 
authentication to SAFE 2 standard. As noted above, the implementation of the SAFE [Level] 
2 standard of registration purports to facilitate identity verification to a “substantial level" 
of assurance. This is the minimum authentication level for issuing a PSC.) 


Section 15, Social Welfare and Pensions Act 2012 which made amendments and insertions of provisions in relation 
to Section 241, 262 and 263 SCWA 2005 

Dail debate. Social Welfare and Pensions Biii 2012: Second Stage, 18 April 2012, the then Minister for Social 
Protection, Deputy Joan Burton, https://www.oireachtas.ie/en/debates/debate/dail/2012-04-18/37/ . 

Section 11 of the Social Welfare and Pensions (Miscellaneous) Provisions Act 2013 which inserted Section 247C into 
the SWCA 2005 
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56. Additionally, the Government in a Decision of 2013 (the "2013 Government Decision") 
approved the re-constitution of the interdepartmental SAFE Committee with a remit to 
ensure the use of the PSC for all appropriate services by 2016.®° The 2013 Government 
Decision also provided authorisation for other Government Departments and agencies, in 
conjunction with the interdepartmental SAFE Committee, to explore the legal avenues and 
practicalities involved in requesting the PSC from users seeking to access their services. In 
a subsequent decision in 2017, (the "2017 Government Decision")®^ agreed to the 
publication of the eGovernment Strategy 2017-2020 and committed to the "scheduled 
adoption of the MyGovID service and the Public Services Card infrastructure by specified 
public services over the next 18 months". 

57. The Department of Social Protection Compliance and Anti-Fraud Strategy 2014—2018 (the 
"Strategy") advocated the continued roll out of the PSC by identifying the apparent benefits 
that it considered the card to offer, such as significant new protections against welfare fraud 
and opportunities to expand its use across a broader range of public services.®^ Flowever, 
based on the information provided by DEASP, identity fraud, detected though facial 
recognition software, represents one of the less frequent types of fraudulent claims for 
social welfare payments (approximately 2.3% of all detected fraud overpayments recorded 
in 2017).®® The Strategy highlighted that the PSC could also be utilised by public bodies to 
enhance or replace existing identity registration and verification. Notably however, the 
Strategy did not indicate that the PSC (as a token of SAFE 2 registration) would become a 
requirement to access public services beyond the high value services provided exclusively 
by the Department of Social Protection. 

58. Further legislative measures were also enacted in 2014 and 2015 to allow for the 
confiscation of the PSC by a payment service provider and to require an individual 
presenting for a social welfare benefit to furnish either his/her PSC or another card issued 
by the Minister along with other information and documentation.®"‘ 

59. The DPC notes that one of the thematic objections consistently raised by DEASP in its 
responses to the Draft Report is that the DPC "singles out" the 2013 Government Decision 
and suggests that this expanded the utilisation of the PSC by non-legislative means. DEASP 
state in this regard that it is unfair and misleading to single out Government decisions while 
failing to mention or downplaying clear legislative underpinnings.®® In this regard, DEASP 
considers that the DPC: 

must highlight that the 2013 Government Decision simply mandated that Government 

Departments and agencies should utilise the power available to them under legislation. 

The 2013 Decision re-affirmed a Government commitment that was provided for in the 


Government Decision, S180/20/10/1789, 18 September 2013. 

81 Government Decision, S180/20/10/2189, 12 July 2017. 

81 Department of Social Protection, Compliance and Anti-Fraud Strategy 2014 -2018. 

88 DEASP's Response to the Draft Report, Part 3.1.13, paragraph 8. 

81 See Section 3(e) of the Social Welfare and Pensions Act 2014 and Section 9(a) of the Social Welfare (Miscellaneous 
Provisions) Act 2015. 

88 DEASP's Response to Draft Report at Part 1, paragraph 33 
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1998 Act and the SWCA 2005 that SAFE 2 authentication, verified by the PSC, would be 
required for all appropriate Government servicesf^ 

60. While the DPC notes the DEASP's position that the legislation which provided for the PSC to 
be utilised by other public services had been in existence since 1998, the purpose of this 
report however is to evaluate, with regard to data protection legislation, whether there is 
a legal basis for the processing carried out by DEASP in connection with the use of the PSC 
by both DEASP and other public bodies. Regardless of that question, the DPC considers that 
it is fair to trace back, and attribute, the policy motivation or seeking to utilise the PSC in a 
broader range of public services, to the 2013 Government Decision. At the same time, the 
DPC notes that it is DEASP's view that legislation which allowed for such utilisation of the 
PSC was already in place at that time. That legislation is the focus of the DPC's analysis, in 
Part 3 of this report, as to whether there is a legal basis for the processing conducted by 
DEASP in relation to the PSC. 

1.5.1.1 Current policy regarding denial of services 

61. According to DEASP, it is Government policy that people accessing valuable public services 
should have their identity authenticated to SAFE 2 standard®^. DEASP states that this is not 
an unreasonable requirement and is an issue for determination by Government as a matter 
of public policy*®. Elowever, the DPC notes that this in effect results in the denial of service 
to individuals who fail to prove their identity by use of the PSC. The majority of the services 
involved are high value payment services provided by DEASP. However, certain bodies 
other than the DEASP now also require production of the PSC or insist on a person being 
SAFE 2 registered, in other words by registering for a PSC, before being able to access a 
service.*® 

62. This policy does not appear to have been explicitly provided for in legislation. Rather, as 
will be set out in detail in this report. Section 263(3) of the SWCA 2005 (as amended) 
appears only to require the production of the PSC where a person has already been issued 
one. As will be seen from Part 3, DEASP strongly disputes the DPC's position in this regard. 

63. In July 2016, the DPC, on foot of plans for a further expansion of the PSC, sought information 
and outlined its views in respect of transparency around the planned extended use of the 
PSC, to the Office of the Government Chief Information Officer. The DPC also wrote to the 
Department of Social Protection in August 2016 outlining its views and by September 2016 
assurances were received that the issues the DPC identified would be addressed. 


DEASP's Response to Draft Report at Part 1, paragraph 32 
DEASP's response to the Draft Report, Part 1, paragraph 34. 

DEASP's Response to Draft Report at Part 1, paragraph 34. 

For example for issuing passports, see Department of foreign Affairs and Trade, Public Service Card, 
https://www.dfa.ie/passports-citizenship/top-passport-questions/public-services-card/ .All first-time passport 
applicants aged 18 and above who are resident in Ireland must present a photocopy of their PSC when making an 
application, as must applicants whose last passport was Issued more than 5 years ago and has expired or applicants 
whose passport was issued earlier than 2005 and is lost/ stolen/ damaged. 
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64. 


The eGovernment Strategy 2017—2020 highlighted that the PSC infrastructure underpins 
access to public services by citizens, and is critical to the successful delivery of the 
eGovernment strategy.Critically, it also listed a number of public services for which SAFE 
2 registration would be required including for driver theory test applications and first-time 
adult passport applications in the State. These requirements would appear to originate with 
the 2013 Government Decision referred to above (and reaffirmed in the 2017 Government 
Decision) and various policy pronouncements rather than in any provisions under primary 
legislation requiring identity verification to the level of the SAFE 2 standard in respect of 
such other specific pubiic services. The DEASP online document entitled "Why might I need 
a Public Services Card (PSC) in the future?"®^ also appears to reflect the 2013 Government 
Decision stating that "the PSC infrastructure is the Government's standard identity 
verification scheme, which is to be used for access to aii pubiic services where appropriate " 
[emphasis added]. This document sets out the various government departments and offices 
which have committed to adopting the PSC and MyGovID infrastructure for specified public 
services within identified timeframes (some of which are already applicable).“ These 
include services provided by the Department of Education and Skills, the Department of 
Foreign Affairs and Trade (Passport Office), Student Universal Support Ireland (SUSI), the 
Road Safety Authority,®^ the Department of Justice and Equality, the Flealth Services 
Executive, and the Department of Agriculture and the Marine. 

65. In August 2017, the DPC issued a statement on the PSC which stated, among other things: 

The Data Protection Commissioner notes the ongoing pubiic commentary in reiation to 
the Pubiic Services Card (PSC). Whiie a framework to authenticate identity of individuais 
avaiiing of State services is an entireiy iegitimate government poiicy choice, 
transparency to the pubiic on the underpinning iegisiative provisions, what data is being 
coiiected, for what purpose, and with whom data may be shared and for what purpose, 
needs to be adeguateiy addressed. 

The Data Protection Commissioner and her staff have strongiy conveyed their views on 
numerous occasions to the Department of Sociai Protection and in a number of other 
fora, inciuding at Oireachtas Committee hearings, that there is a pressing need for 
updated, dearer and more detaiied information to be communicated to the pubiic and 
services users regarding the mandatory use of the Pubiic Services Card for accessing 
pubiic services. The provision of up-to-date, comprehensive and reievant information to 
the pubiic is not just part of the openness and transparency reguirements for the fair 
processing of personai data under data protection iaw, but aiso in the interests of 
maintaining pubiic confidence in the system. 


The Department of Public Expenditure and Reform, eGovernment Strategy 2017-2020, June 2017, 
http://egovstrategv.gov.ie/wp-content/uploads/2017/07/eGovernment-Strategv-2017-2020.pdf 

Available at https://www.welfare.ie/en/downloads/PSCFUTURE.pdf , accessed 10 August 2018. 

See response to Question 17 of the Comprehensive Guide ("What are the services that will require an individual to 
have SAFE registered and the timelines bv which SAFE 2 registration will be required?") 

See Part 1.3 for further commentarv in relation to the change of position in this regard. 
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The Commissioner highlighted the transparency issue in relation to the card in the 2016 
Annual Report when she highlighted that the '....implementation of large-scale 
government projects without specific legislative underpinning, but rather relying on 
generic provisions in various pieces of legislation, poses challenges in terms of the 

transparency to the public . and the uses to which personal data is now being applied. 

While a lawful basis for such use of personal data can be cited, the need for notice and 
transparency is especially high in these types of cases and it is not always clear that 
public clarity has been delivered.' 

The Data Protection Commissioner has sought that the Department of Social Protection 
publish a comprehensive FAQ to fully clarify all of the arrangements, procedures and 
legislative provisions relating to PSC. The comprehensive list of guestions, which the 
Department of Social Protection has agreed to answer and publish, were provided by 
the Data Protection Commissioner. 

66. Further to the DPC's abovementioned request that a comprehensive FAQ be published, the 
DEASP (as the Department of Social Protection then became) subsequently published a 
document titled "Comprehensive Guide to SAFE registration and the PSC" (referred to in 
this report as the "Comprehensive Guide") in October 2017. 

67. While the information contained in that document is further referred to later in this report, 
it is notable that the document confirms that the DEASP is the sole body in the State 
currently providing SAFE 2 registration.®^ 

68. A new privacy statement was published on DEASP's website on 16 July 2018, to account for 
processing under the GDPR. 

1.6 The Legislative Framework for the PSC 

69. This report includes an assessment of the sections of the SWCA 2005 which have been cited 
by the DEASP in the Comprehensive Guide published in October 2017. This was published 
at the request of the DPC, as indicated in the DPC's public statement in August 2017 which 
is discussed above at paragraph 65. 

70. Until late February 2018, the DPC had not been furnished with, nor made aware of any 
publication of a consolidated set of legislation which reflected the large volume of 
amendments made to the SWCA 2005 since enactment. As the primary piece of legislation 
in the social welfare field, the SWCA 2005 has been subject to amendments made to it by 
at least one other enactment every year since 2005. 


Data Protection Commissioner Statement on the Public Services Card, 30 August 2017. 

In its reply to Question 13 of the “Comprehensive Guide to SAFE Registration and the Public Services Card",{“what 
government entities can conduct SAFE registration?") the following is stated: 

"There are a number of State bodies specified in law in Schedule 5 of the Social Welfare Consolidation Act that can SAEE 

register a person . However, the Department of Employment Affairs and Social Protection is the sole body in the 

State that currently provides SAEE 2 registration." 
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71. For the purposes of this investigation and report only, the DPC compiled an unofficial 
consolidation of those sections of the SWCA 2005 which are central to the issue under 
consideration. This unofficial consolidation is included at Annex 2. 

72. DEASP has also now published a "running consolidation" of the SWCA 2005 on its website. 
It is unclear when this was first made available to the public but in any event this occurred 
after the commencement of this investigation. The document produced®® consists of 561 
pages and includes 2410 footnotes relating to amendments and substitutions. 

73. The introductory text to the DEASP's "running consolidation" notes that: 

While every care has been taken in the preparation of this Consolidated Act, the 
Department of Employment Affairs and Social Protection can assume no responsibility 
for and give no guarantees, undertakings or warranties concerning the accuracy, 
completeness or up-to-date nature of the information provided and does not accept any 
liability whatsoever arising from any errors or omissions. [...] 

How to use this Guide 

Since its enactment in 2005, the Social Welfare Consolidation Act has been extensively 
amended by subseguent Social Welfare Acts, as well a number of other non-Social 
Welfare Acts and Orders. The aim of this Guide is to bring all of these amendments 
together into a single document. 

While every effort has been made to ensure the accuracy of this Guide, it may 
nevertheless, contain errors in the text as well as in the formatting of the text. Users of 
this Guide are therefore advised to satisfy themselves as to the accuracy of the text by 
also consulting the 2005 Consolidation Act and relevant amending Acts. 

lA. The DEASP's "running consolidation" goes to explain to the reader over 4 pages, which 
includes a list of all the amending acts and orders, how to use the guide, explaining the 
different types of amendments, and explaining that there are amendments still to be 
commenced and that there have been changes to scheme names and payment schedules. 

75. The sections of the SWCA 2005 upon which the DEASP relies in relation to the issues under 
consideration in this report have been amended many times since their original enactment. 
At the Joint Committee on Employment Affairs and Social Protection on 8 February 2018, 
multiple references were made to the fact that there is no [official] consolidated version of 
the SWCA 2005 and its amendments, and that more than five different Acts had to be 
referred to in order to get a clear picture of the social welfare legislation.®^ By way of example 


https://www.welfare.ie/en/downloads/RunningConsolidation-of2005Act.pdf 

Joint Committee on Empioyment Affairs and Sociai Protection debate, 8 February 2018, avaiiable here 
https://www.oireachtas.ie/en/debates/debate/ioint committee on employment affairs and sociai protection/2 

018-02-08/3/ 
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of the extent of amendments, set out below are the numbers of amendments made to 
certain of the key provisions examined in Part 3 of this report: 

• Section 241 has been amended by 11 enactments, resulting in 28 changes,®* 

• Section 262 has been amended by six enactments, resulting in 18 changes (2 of which 
are non-textual restrictions on application),®® 

• Section 263 has been amended by three enactments, resulting in six changes (this does 
not include amendments made to sections 263A or 2636).“° 

76. By way of observation, it is also noted, and while they do not directly impact the key 
provisions under examination in this report, at the time of writing, 363 Statutory Instruments 
were made bearing the words "Social Welfare" in the title since 2005,^°^ which, in the DPC's 
view, further adds to the complexity of the legislative framework in question. The complexity 
and fragmented nature of the legislative framework has a central bearing on the issue of 
transparency of processing, which is considered in Part 4. 

77. For completeness, it is also noted that other sections of the SWCA2005 have been amended 
multiple times, but not all relevant sections of later amending legislation have not been 
commenced. To illustrate section 265 has been amended by four subsequent enactments 
and is the subject of an amendment proposed in section 13 of the Social Welfare and 
Pensions Act 2008, which has not yet been commenced. 

1.7 The Purpose of the DPC's Investigation of the PSC 

78. In late 2017, having considered the information provided by the DEASP in relation to queries 
raised by the DPC on certain data protection issues concerning the PSC, the DPC formed the 
view that further examination was required in order to validate the information received to 
date and to assess whether DEASP was in compliance with its obligations pursuant to the 
Data Protection Acts 1988 and 2003 (the "Acts"). 

79. Accordingly, the DPC decided to conduct this investigation under section lO(lA) of the Acts. 
Section lO(lA) provides as follows: 


Amended by the Social Welfare Law Reform and Pensions Act 2006, the Social Welfare and Pensions Act 2007, the 
Social Welfare and Pensions Act 2008, the Social Welfare And Pensions Act 2009, the Social Welfare and Pensions 
Act 2010, the Social Welfare and Pensions Act 2011, the Social Welfare Act 2011, the Social Welfare and Pensions 
Act 2012, the Social Welfare (Miscellaneous Provisions) Act 2015, the Social Welfare Act 2016 and the Social Welfare 
Act 2017. 

Amended by the Social Welfare and Pensions Act 2007, the Social Welfare and Pensions Act 2010, the Social Welfare 
and Pensions Act 2011 and the Social Welfare and Pensions Act 2012, the Credit Reporting Act 2013 and the Data 
Sharing and Governance Act 2019. 

™ Amended by the Social Welfare and Pensions Act 2007, the Social Welfare and Pensions Act 2010, the Social Welfare 
and Pensions Act 2012. 

However, note that at least one S.l. affects the administration of the PSC and SAFE, for example, S.l. No. 344/2019 - 
Social Welfare Consolidation Act 2005 (Specified Bodies) Regulations 2019 amends Schedule 5 to the SWCA 2005. 
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The Commissioner may carry out or cause to be carried out such investigations as he 
or she considers appropriate in order to ensure compliance with the provisions of this 
Act and to identify any contravention thereof 

1.7.1 Focus of report 

80. This report is focused specifically on the processing by DEASP of certain personal data (as 
described in paragraphs 175 to 176) in connection with the PSC, including the SAFE 
registration (identity authentication) process, which is carried out for the purposes of 
issuing a PSC and the following central issues: 

(1) The question of whether there is a legal basis under data protection law for the 
processing of personal data (as described in paragraphs 175 to 176) - by DEASP in 
connection with the PSC and SAFE registration (Part 3); and 

(2) The extent to which such processing is transparent to data subjects (in other words 
members of the public whose personal data - as described in paragraphs 175 to 176 
is processed by DEASP for these purposes) by providing information to data 
subjects in relation to that processing (Part 4). 

1.7.2 Legal Framework for the DPC's investigation 

81. The DPC's investigation was commenced prior to the application of the GDPR, and as it has 
therefore not been conducted under the GDPR, the findings made in this report pertain to 
DEASP's compliance with its relevant obligations under the Acts. Flowever, the GDPR 
became applicable on 25 May 2018, and DEASP is now required to comply with the data 
protection obligations arising under the GDPR, as given further effect in the State by the 
Data Protection Act 2018. As such, observations and comments are included in this report 
for the purpose of assisting DEASP towards achieving compliance with data protection law 
under the GDPR. Flowever, these observations and comments are not binding for the 
purposes of this report in circumstances where the investigation was carried out under and 
by reference to the Acts rather than the GDPR and the 2018 Act. Such GDPR related 
observations and comments are colour coded in green text throughout this report. 

Remit and independence of the DPC 

82. Section 9 of the Acts provided for the establishment of the Data Protection Commissioner, 
now the Data Protection Commission pursuant to the Data Protection Act 2018 (as detailed 
further below). Both the Data Protection Commissioner and the Data Protection 
Commission which succeeded the Data Protection Commissioner are referred to as the 
"DPC" throughout this report. 

83. Section 9(1) of the Acts states: 

For the purposes of this Act, there shall be a person (referred to in this Acts as the 
Commissioner) who shall be known as an Coimisineir Cosanta Sonraior, in the English 
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language, the Data Protection Commissioner; the Commissioner shall perform the 
functions conferred on him by this Act. 

84. Section 9(2) states: 

The provisions of the Second Schedule to this Act shall have effect in relation to the 
Commissioner. 

85. Paragraph 1 of the second schedule to the Acts states: 

The Commissioner shall be a body corporate and shall be independent in the 
performance of his functions. 

86. Accordingly, it is a requirement under the Acts that the DPC be independent in the 
performance of his or her functions. This required, among other things, that the DPC be 
independent of Government in the performance of his or her functions and that the DPC 
have no role in relation to making Government policy. (The requirement of independence 
is continued under the Data Protection Act 2018 and the GDPR). 

87. One of the tasks of the DPC under the Acts was to monitor the lawfulness of the processing 
of personal data. This task applies to all processing of personal data in the State irrespective 
of whether it is carried out in the public sector, the private sector or elsewhere. (Similar 
tasks are imposed under the Data Protection Act 2018 and the GDPR). 

88. The Data Protection Act 2018 was commenced on 25 May 2018. This legislation established, 
under section 10, the Data Protection Commission as the data protection supervisory 
authority in Ireland for the purposes of the GDPR.“^ Section 14 of this Act provides for the 
transfer of all functions previously vested in the Data Protection Commissioner to the Data 
Protection Commission. Sections 14(2) and (3) clarify that references to the Data Protection 
Commissioner in the Acts or in other enactments are now to be construed as references to 
the Data Protection Commission. 

89. Section 8(3) of the Data Protection Act 2018 provides that an investigation initiated under 
section 10 of the Acts (such as this investigation) which was begun but not completed prior 
to the enactment of the 2018 Act, shall be completed in accordance with the previous Acts. 

90. As this investigation was commenced under the Acts, accordingly, it is the law under the 
Acts that applies for the purpose of this investigation. Notwithstanding this, the GDPR and 
Data Protection Act 2018 apply to ongoing processing by DEASP in respect of its obligations 
as a data controller. The DPC reserves the right to commence such further or additional 
inquiries, audits and/or investigations in respect of such processing to assess compliance 
with the GDPR and the 2018 Act as it considers appropriate. 


Also for the purposes of the Law Enforcement Directive (Directive (EU) 2016/680) which was transposed by way of 
certain parts of the Data Protection Act 2018. 
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91. Arising from the above described provisions, this investigation relating to a public sector 
project has been conducted by the DPC in accordance with the DPC's statutory duty to be 
independent in the performance of its functions. 

1.8 Concept of a "national identity card" 

92. For the avoidance of doubt—and as already noted above— it is not the purpose of this 
investigation to determine whether the PSC is a national identity card. The phrase "national 
identity card' can be an emotive one that has no universal definition. It is worth noting that 
the phrase may carry different meanings in different contexts. For example, the European 
Parliament has noted in a briefing document that currently there are at least 86 different 
versions of identity cards in circulation in the EU.“^ Flowever, the phrase sometimes invokes 
connotations of a card which citizens must carry at all times and which must be produced 
by citizens on demand by a law enforcement officer. There is no such requirement in 
respect of a PSC and the DPC acknowledges that this is not the purpose of the PSC. 
Ultimately though, it is not for this report to determine whether the PSC is or could be 
considered to be a type of national identity card. 

93. The DPC also notes that the DEASP's position in its "Comprehensive Guide to SAFE 
Registration and the Public Services Card" is that the PSC is not a national identify card. In 
response to question 37 ("Is the PSC an Identity Card?"), the DEASP states: 

The Public Services Card is not a national ID card as it does not bear the 
characteristics of such a card. For example, it isn't compulsory for a person to have 
one simply by virtue of being resident in the State (which it would be if it was a 
National ID). Most countries with a national ID card require people to carry it with 
them (in some cases at all times) - there is no such law in Ireland compelling people 
to carry the Public Services Card. 

Equally, it cannot be requested by any public or private body or person not included 
as a specified body in Schedule 5 of the Social Welfare Consolidation Act 2005 (as 
amended). In many countries operating a national ID card, private bodies are 
required by law to check a person's identity through their national ID card before 
providing them with service, particularly in financial and insurance sectors. By 
contrast, the PSC can only be used by public bodies specified in the legislation and 
their agents in the context of conducting a public transaction with the person 
concerned. Therefore, the legislation narrows its application considerably and proves 
that the intent of the card has always been limited to the provision of public 
services. 


European Parliament Briefing "Security of ID cards and residence documents issued to EU citizens and their families" 
http://www.europarl.europa.eu/RegData/etudes/BRIE/2018/621846/EPRS BRI(2018)621846 EN.pdf 
Department of Employment Affairs and Social Protection, Comprehensive Guide to Safe Registration and the Public 
Services Card, October 2017, page 38. 
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94. Notwithstanding the last sentence in the statement above from the Comprehensive Guide 
that "the intent of the card has always been limited to the provision of public services", it is 
notable that, as referred to above, the Social Welfare, Pensions and Civil Registration Bill, 
2017 proposes, among other things, to permit PSC holders to produce the card voluntarily 
for identity purposes to bodies that are not specified in law. Under that proposed legislation 
it will continue to be unlawful for a non-specified body to request an individual to produce 
their PSC to prove their identity. 

1.9 Report Structure 

95. As noted above, this report focuses on the central issues of the legal basis for DEASP's 
processing of personal data in connection with the PSC (including the SAFE registration 
process) and the transparency of such processing. The report is structured as follows: 

(1) Introduction (Part 1); 

(2) Overview of the data protection framework (Part 2); 

(3) Lawfulness of Processing (to include certain retention issues) - Legal Basis (Part 3); 
and 

(4) Transparency (Part 4). 

96. While the DPC's Draft Report also dealt with the issues of security of processing and the 
legal basis for certain processing operations concerning facial matching (together with a 
number of specific use cases of the PSC by certain public bodies), those issues have not 
been included in this finalised report.Instead, as noted above in Part 1.2, the DPC will 
issue a further draft report which will contain a number of provisional findings in relation to 
those issues. (Those provisional findings will be based in part upon the additional 
information which the DPC received from DEASP on 30 November 2018 in response to the 
DPC's various requests for information which were made to DEASP on 28 August 2018 
contained in the Draft Report delivered on that date.) DEASP will be invited to make further 
submissions in relation to those provisional findings. Once the DPC has received those 
submissions and has had an opportunity to take any such submissions into account, it will 
revise that draft as it considers appropriate and issued a finalised report on those issues. 

References to data protection law 

97. It is important to note at the outset that Part 2 sets out the relevant provisions of data 
protection law that are considered in this report. Repeated reference will be made 
throughout this report to the various provisions. Elowever, the explanation of those 
provisions of data protection law will not be repeated. Readers are therefore directed to 
Part 2 for an explanation of the provisions in question. 


See paragraphs 175 to 177 which identify the scope of the personal data, processed by DEASP in connection with the 
PSC and SAFE registration, which is the subject matter of this report. Paragraph 178 describes certain other personal 
data, the processing of which is not considered in this report, and clarifies that this will/ may, as relevant, form the 
subject of a separate report by the DPC. 
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1.10 Status of this report and findings 


98. This report reflects the DPC's findings as to facts as of August 2019“® in relation to the law 
under the Acts. The DPC's findings as to DEASP's compliance or otherwise with its 
obligations as a data controller under the Acts are statutory findings in accordance with 
Section lO(lA), as quoted above. 

1.11 Resources 

99. The DPC's investigation into the matters which are the subject of this report involved a 
detailed review of materials supplied to the DPC by DEASP, as well as a review of other 
source materials identified by the DPC, outlined below. The investigation was co-ordinated 
by the DPC's Special Investigations Unit, with extensive input and analysis carried out by the 
DPC's Legal Unit, and assistance also provided by the DPC's Technology Unit. 

100. In addition to the information, documentation and submissions furnished to the DPC by 
DEASP in the course of this investigation, the relevant sources which the DPC considered 
when preparing this report are as follows: 

(1) Government Decisions 2004-2017: 

(a) Government Decision (S290/05/25/0025) of 29 June 2004; 

(b) Government Decision (S290/05/25) of 6 July 2005; 

(c) Government Decision (S180/20/10/1789) of 18 September 2013; 

(d) Government Decision (S180/20/10/2189) of 18 July 2017; 

(2) Statement of rationale for Government Decision (S180/20/10/1789); 

(3) Correspondence from the Road Safety Authority to the DPC on the legal basis for 

use of the PSC (July 2017); 

(4) "Roll-out of the Public Services Card" - Chapter 10 of Comptroller and Auditor 
General Annual Report for 2015 (September 2016); 

(5) Submission of DPC to the Department of Public Expenditure and Reform on the 
Data Sharing and Governance Bill, 1 August 2014; 

(6) "Comprehensive Guide to Safe Registration and the Public Services Card" - 
published, on the DEASP website October 2017; 

(7) DEASP public statement on the Public Services Card - published 25 August 2017; 

(8) Government of Ireland "Public Services Card" website - www.psc.gov.ie; 

(9) DEASP Annual Reports, 2004 and 2009-2016; 

(10) DEASP Statement of Strategy 2008 - 2010 

(11) List of bodies in receipt of PSI data from the DEASP in 2016, published on 
www.psc.gov.ie; 

(12) Documents received from DEASP titled as follows 

13 DEASP responses to DPC Audit queries, with Appendices 1 - 8 
SAFE Business Requirements (17 June 2005) 


The DPC considered the factual scenario as of August 2019 in relation to the main PSC and SAFE 2 resources as set 
out in Part 1.11, including the DEASP's Response to the Draft Report dated 30 November 2018. 
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(13) Answer by the Minister for Social Protection to Parliamentary Question 47 asked 
by Deputy Olwyn Enright - 25 May 2010; 

(14) Answer by the Minister for Public Expenditure and Reform to Parliamentary 
Question 40647/17 asked by Deputy Roisfn Shorthall - 26 September 2017; 

(15) Answers by the Minister for Public Expenditure and Reform to Parliamentary 
Question 46856/17 asked by Deputy Dara Calleary—9 November 2017; 

(16) Answers to Parliamentary Questions—23 January 2018; 

(17) Committee for Public Management Research Discussion Paper 11 Improving Public 
Services in Ireland: A Case-Study Approach (1999); 

(18) Department of Social Protection Fraud Initiative of 2011 - 2013 published 
September 2011; 

(19) Department of Social Protection Compliance and Anti-Fraud Strategy 2014 - 2018 
published April 2014; 

(20) EGovernment Strategy 2017 - 2020 published 27 July 2017; and 

(21) Department of Public Expenditure and Reform, Public Service Reform Plan 17th 
November 2011. 

(22) Transcript of "Public Services Card: Discussion" by Qireachtas Joint Committee on 
Employment Affairs and Social Protection - 8 February, 2018. 

(23) Transcript of "Public Services Card: Discussion" by Qireachtas Joint Committee on 
Employment Affairs and Social Protection - 22 February, 2018. 

(24) Department of Employment Affairs and Social Protection Privacy Statement, 
published on welfare.ie, 16 July 2018 and subsequent versions. 

(25) All correspondence exchanged between DEASP and the DPC between Qctober 
2017 and August 2019 regarding the conduct of the investigation and the ensuing 
report. 
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PART TWO 


THE DATA PROTECTION FRAMEWORK 
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2.1 Introduction 


101. As observed above, the focus of this investigation is the processing of personal data by 
DEASP in connection with the PSC, and in particular, by reference to the legal obligation 
upon data controllers to have a legal basis for the processing of the personal data concerned 
and to be transparent in relation to processing personal data with people whose personal 
data is processed. To that end, it is necessary to begin with an overview of the data 
protection framework which applies in Ireland. 

2.2 The Overarching Framework 

102. The right to protection of personal data is enshrined in both Article 8(1) of the Charter of 
Fundamental Rights of the European Union (the "Charter") and Article 16 of the Treaty on 
the Functioning of the European Union. 

103. Article 8 of the Charter provides as follows: 

1. Everyone has the right to the protection of personal data concerning him or her. 

2. Such data must be processed fairly for specified purposes and on the basis of the 
consent of the person concerned or some other legitimate basis laid down by 
law. Everyone has the right of access to data which has been collected 
concerning him or her, and the right to have it rectified. 

3. Compliance with these rules shall be subject to control by an independent 
authority. 

104. Any legislative measures deriving from EU law must be interpreted in the light of the 
fundamental rights which are guaranteed by the Charter and furthermore the principles 
which apply to those rights under the Charter. Article 52.1 of the Charter states that: 

Any limitation on the exercise of the rights and freedoms recognised by this Charter 
must be provided for by law and respect the essence of those rights and freedoms. 
Subject to the principle of proportionality, limitations may be made only if they are 
necessary and genuinely meet the objectives of general interest recognised by the 
Union or the need to protect the rights and freedoms of others. 

105. Accordingly, restrictions on the scope of rights protected under the Charter must, amongst 
other things, comply with the principles set out in Article 52(1) of the Charter. 

106. The key domestic legislation in relation to data protection which has applied during the 
period of the evolution of the PSC has been the Acts. 
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107. The Acts were enacted to give effect to the Data Protection Convention 1981“^ and 
Directive 95/46/EC (the "Directive"). 

108. A far-reaching overhaul of this entire area of law was introduced by the General Data 
Protection Regulation ('the GDPR'), which became applicable as a matter of EU law on 25 
May 2018. 

109. The Data Protection Act 2018 (the "2018 Act")—giving further effect to the GDPR in 
Ireland—entered into force on 25 May 2018. The 2018 Act provides the framework under 
which the GDPR must be applied in this jurisdiction. 

110. It should be noted that the GDPR is directly applicable (as an EU Regulation) and that data 
controllers and processors now need to refer to both the text of the GDPR and the 2018 Act 
to understand their obligations and the rights of data subjects from 25 May 2018 onwards. 

111. As explained above in Part 1.7.2, it is the law under the Acts that applies for the purpose of 
this investigation. 

2.3 Principles applicable to interpreting the Acts and the SWCA 

112. The DPC's assessment in its investigation as to whether there is a legal basis under the Acts 
for the processing of personal data by DEASP in respect of the PSC hinges primarily on the 
interpretation of domestic legislation, namely the SWCA 2005 and the Acts. Accordingly, 
before considering the statutory provisions at play in relation to the issue of whether there 
is a legal basis for the processing concerned, it is useful to set out the relevant principles of 
statutory interpretation for these purposes. 

2.3.1 Interpreting the Acts 

113. The first point of relevance is that in interpreting the Acts, which as noted above emanate 
from EU law (the Directive), there is a duty on national courts to do so in conformity with 
EU law which is regarded as an incident of the duty of sincere co-operation under Article 
4(3) of the Treaty on the European Union“®. This principle of interpretation must likewise 
inform the DPC's approach to interpreting and applying the Acts. As such, the Acts, insofar 
as they transpose the Directive must be interpreted in a manner that recognises the "high 
level of protection of the fundamental rights and freedoms of natural persons, in particular 
their right to privacy with respect to the processing of personal data"'‘-^°. In addition, the 


Council of Europe, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 
1981. 

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals 
with regard to the processing of personal data and on the free movement of such data. 

Eor example as recognised in Ireland in Albatros Feeds v. Minister for Agriculture & Food [2007] 1IR 221 and Eircom 
V Commission for Communications Regulation [2007] 1 IR 1. Similarly the duty of sincere co-operation was also 
recognised in NAMA v Dellway [2011] 4 IR 1. 

As per the CJEU in Case C-131/12, Google Spain, 13 May 2014. 
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provisions of the Directive must "necessarily be Interpreted in the light of the fundamental 
rights guaranteed by the Charter"}^^ Furthermore, restrictions on the scope of data 
protection rights must be interpreted narrowly. As the CJEU observed in Digital Rights 
Ireland: 

any limitation on the exercise of the rights and freedoms laid down by the Charter must 
be provided for by law, respect their essence and, subject to the principle of 
proportionality, limitations may be made to those rights and freedoms only if they are 
necessary and genuinely meet objectives of general interest recognised by the 
[European] Union or the need to protect the rights and freedoms of others. 

2.3.2 Interpreting the SWCA 2005 

114. Meanwhile, in addition to the general principle that national legislation should be 
interpreted compatibly with EU law, there are a number of principles of interpretation of 
domestic law that are relevant to the interpretation of the SWCA 2005. Again, these 
principles of interpretation must likewise inform the DPC's approach to interpreting the 
SWCA 2005. 

115. First, it is well-established that the primary rule of interpretation is literal, both at common 
law and under the Interpretation Act 2005. This focuses on the particular words and 
phrases used in the text of the legislation, the guiding principle being that words should be 
given their ordinary and plain meaning^^^. Section 5 of the Interpretation Act 2005 envisages 
this in providing as follows: 

"In construing a provision of any Act (other than a provision that relates to the 
imposition of a penal or other sanction) — 

(a) that is obscure or ambiguous, or 

(b) that on a literal interpretation would be absurd or would fail to reflect the plain 
intention of— 

(i) in the case of an Act to which paragraph (a) of the definition of "Act" in section 2 
(1) relates, the Oireachtas, or 

(ii) in the case of an Act to which paragraph (b) of that definition relates, the 
parliament concerned, 

the provision shall be given a construction that reflects the plain intention of the 
Oireachtas or parliament concerned, as the case may be, where that intention can 
be ascertained from the Act as a whole." 

116. Second , as is apparent from Section 5 of the Interpretation Act 2005, recourse may only be 
had to a purposive (rather than literal) approach in the construction of a statutory provision 
in three circumstances: 


As per the CEJU in Case C-362/14 Schrems v Data Protection Commissioner, 6 October 2015. 

CJEU, Joined Cases C-293/12 and C-594/12, Digital Rights Ireland Ltd v Minister for Communications, Marine and 
Natural Resources, 8 April 2014. 

See for example Howard v Commissioners of Public Works [1994] 1IR 101, at 151-153. 
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(1) Where the provision of the statutory provision is obscure or ambiguous; 

(2) Where a literal interpretation would be absurd; or 

(3) Where a literal interpretation would fail to reflect the legislative intent. 

117. It is also the case that even if a court reaches the conclusion that a literal interpretation of 
a provision would lead to an absurd result or would defeat the intention of the enacting 
body, it is not free to ignore or to read words out of a statutory provision or to adopt an 
interpretation that is not open on the language used^^"^. 

118. Third , it is clearly permissible for a court to have regard to an Act as a whole when 
interpreting a particular statutory provision^^^. Section 5 of the Interpretation Act 2005 
expressly envisages that "the provision shall be given a construction that reflects the plain 
intention of the Oireachtas or parliament concerned, as the case may be, where that 
intention can be ascertained from the Act as a whole". 

119. Fourth , in general, the power to read words into a statute can only be exercised in very 
limited circumstances^^®. 

120. Fifth, statutory provisions should not be interpreted in such a manner as to render them 
redundant^^^. 

121. Sixth , however, a court cannot legislate to render an ineffective statutory provision 
effective^^*. 

122. Seventh , penal or other sanctions provisions must be interpreted restrictively and are not 
subject to the literal rule of interpretation in Section 5 of the Interpretation Act 2005^“. In 
this regard. Section 5 excludes a provision "that relates to the Imposition of a penal or other 


As Keane J stated in Mulcahy v Minister for the Marine (Unreported, High Court, 4 November 1994), a court is not 
"entitled to do violence to the plain language of an act in order to avoid an unjust or anomalous consequence". 

D Dodd, Statutory Interpretation in Ireland (2008), section 8.09). Dodd notes that "[t]he most fundamental part of 
the legal context of a proylslon Is the enactment as a whole, that is, the enactment in which the proyision is to be 
interpreted appears". He also notes that "Blackburn J's summary of the literal and golden rules in River Wear 
Commissioners v Adamson envisages considering the Act as a whole as part of the literal and absurdity rules. Section 
5 of the 2005 Act provides that, in certain circumstances, a provision is to be given a construction that reflects the 
plain intention of the legislature, where that intention can be ascertained from an enactment as a whole ". (Emphasis 
added). 

In H V H [1978] IR 138, the Supreme Court ruled (at 146) that "Such a construction would not be in conformity with 
one of the fundamental rules of interpretation ie, that words may not be interpolated into a statute unless it is 
absolutely necessary to do so in order to render it intelligible or to prevent it having an absurd or wholly unreasonable 
meaning or effect. No such necessity arises here." 

For example, see Dunnes Stores v Revenue Commissioners , 4 June 2019, paragraph 80 where the Supreme Court 
observed (paragraph 66) that: "another general proposition is that each word or phrase has and should be given a 
meaning, as it is presumed that the Oireachtas did not intend to use surplus age or to have words or phrases without 
meaning". 

As was observed in Dunnes Stores (referenced above] (paragraph 66) by the Supreme Court, “it is abundantly clear 
that a court cannot speculate as to meaning, and cannot import words that are not found in the statute, either 
expressly or by necessary inference. Further, a court cannot legislate: therefore if, on the only interpretation available 
the provision in guestion is ineffectual, then subject to the Interpretation Act 2005, that conseguence must prevail". 
11® Dodd , paragraphs 10.38—10.41. 
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sanction". The concept of a penal statute is broad and the requirement for strict 
construction applies not only to criminal offences but to "any form of detriment "It is 
however important not to overstate the principle of strict construction of penal statutes 
and to note that penal statutes may be interpreted purposively^^\ 

123. Eighth , parliamentary debates cannot be invoked in the context of statutory interpretation: 
reference to parliamentary material, while sometimes informative, is not permitted in 
Ireland.This principle applies equally to other external commentary such as 
governmental comments or decisions. 

2.4 The Principles of data protection 

124. Section 2 of the Acts identified a number of data protection principles. 

125. These principles are re-affirmed by the GDPR, substantively in Articles 5 and 6 of the GDPR. 

126. In addition. Article 5 GDPR introduces the new principle relating to the integrity and 
confidentiality of the data (Article 5(l)(f), as well as the principle of accountability (Article 
5(2)), which means that whenever an organisation collects personal data, it must be able to 
actively demonstrate compliance with these general principles. 


See D Bailey and L Norbury, Bennion: Statutory Interpretation (7*'^ edition, 2017) at 572: "Whenever it can be argued 
that an enactment has a meaning requiring infliction of a detriment of any kind, the principle against doubtful 
penalisation comes into play. If the detriment is minor, the principle will carry little weight. If the detriment is severe, 
the principle will be correspondingly powerful. ... However It operates, the principle requires persons should not be 
subjected by law to any sort of detriment unless this is imposed by clear words". This passage was endorsed by 
Hardiman J in Motemuino v Minister for Communications [2013] 4 IR 120 and more recently, by the Supreme Court 
in DPP (McMahon) v Avadenei [2017] lESC 77, paragraphs 84—85. 

For example in Dunnes Stores , (referenced above), the Supreme Court observed (paragraph 62) as follows: "one 
would have thought and one is entitled to expect that the Imposing measures should be drafted with due precision 
and in a manner which gives direct and clear effect to the underlying purpose of the legislative scheme. That can 
scarcely be said in this case. That being so, the various imposing provisions must be looked at critically. If however 
having carried out this exercise, and notwithstanding the difficulty of interpretation involved, those provisions when 

construed and interpreted appropriateiv, are stiii capable of giving rise to the iiabiiitv sought, then such should be so 

declared" (emphasis added). 

See Dodd , paragraphs 8.06, 9.04—9.12; Crilly v T& J Farrington Ltd [2001] 3 IR 251. As Walsh J observed in DPP v 
Quilliqan (No Ij [1986] IR 495, " [wjhatever may haye been in the minds of the members of the Oireachtas when the 
legislation was passed their intention must be deduced from the words of the statute". Bennion notes that while 
guidance on the meaning of a statutory provision may assist, it "is not a source of law and cannot alter the true 
meaning of legislation" (paragraph 24.17). 

Section 2 provides as follows: 

(1) A data controller shall, as respects personal data kept by him or her, comply with the following provisions: 

(a) the data or, as the case may be, the information constituting the data shall have been obtained, and the data 
shall be processed, fairly 

(b) the data shall be accurate and, where necessary, kept up to date 

(c) the data - 

(i) shall be kept only for one or more specified and lawful purposes, 

(ilj shall not be used or disclosed in any manner incompatible with that purpose or those purposes, 

(Hi) shall be adequate, relevant and not excessive in relation to that purpose or those purposes, and 
(iv) shall not be kept for longer than is necessary for that purpose or those purposes 
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127. Under the GDPR, the principles relating to the processing of personal data comprise the 
following (note that the green text indicates the 2 new principles added by the GDPR): 

(1) Lawfulness, fairness and transparency; 

(2) Purpose limitation; 

(3) Data minimisation; 

(4) Accuracy; 

(5) Storage limitation; 

(6) Integrity and confidentiality; and 

(7) Accountability. 

128. The position as between the Acts and the GDPR is summarised in the following table: 


Lawfulness, Fairness and Transparency 

Personal data shall have been obtained, 
and the data shall be processed, fairly 
(section 2(l)(a)) 

Personal data shall be processed lawfully, 
fairly and in a transparent manner in 
relation to the data subject (Article 5(l)(a)) 

Purpose Limitation 

Personal data shall be kept only for one 
or more specified and lawful purposes 
(section 2(l)(c)) 

Personal data shall not be used or 

disclosed in any manner incompatible 
with that purpose or those purposes 
(section 2(l)(c)) 

Personal data shall be collected for 

specified, explicit and legitimate purposes 
and not further processed in a mannerthat 
is incompatible with those purposes; 
further processing for archiving purposes 
in the public interest, scientific or historical 
research purposes or statistical purposes 
shall, in accordance with Article 89(1), not 
be considered to be incompatible with the 
initial purposes (Article 5(l)(b)) 

Data Minimisation 

Personal data shall be adequate, relevant 

and not excessive in relation to that 

purpose or those purposes (section 
2(l)(c)(iii)) 

Personal data shall be adequate, relevant 
and limited to what is necessary in relation 
to the purposes for which they are 
processed (Article 5(l)(c)) 

Accuracy 

Personal data shall be accurate and, where 
necessary, kept up to date (section 2(l)(b)) 

Personal data shall be accurate and, where 
necessary, kept up to date; every 
reasonable step must be taken to ensure 
that personal data that are inaccurate, 
having regard to the purposes for which 
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they are processed, are erased or rectified 
without delay (Article 5(l)(d)) 

Storage Limitation 

Personal data shall not be kept for 
longer than is necessary for that 
purpose or those purposes (section 
2(l)(c)(iy)) 

Personal data shall be kept in a form which 
permits identification of data subjects for 
no longer than is necessary for the 
purposes for which the personal data are 
processed; personal data may be stored for 
longer periods insofar as the personal data 
will be processed solely for archiying 
purposes in the public interest, scientific or 
historical research purposes or statistical 
purposes in accordance with Article 89(1) 
subject to implementation of the 
appropriate technical and organisational 
measures required by this Regulation in 
order to safeguard the rights and freedoms 
of the data subject (Article 5(l)(e)) 

integrity and Confidentiaiity 


Personal data shall be processed in a 
manner that ensures appropriate security 
of the personal data, including protection 
against unauthorised or unlawful 
processing and against accidental loss, 
destruction or damage, using appropriate 
technical or organisational measures 
(Article 5(l)(f)) 

Accountability 


The controller shall be responsible for, and 
be able to demonstrate compliance with 
data protection principles (Article 5(2)). 


2.4.1 Transparency 

129. While the concept of transparency, as enunciated in the principle under Article 5(l)(a) of 
the GDPR, was not explicitly referred to as such in the Acts, the obligation on a controller to 
proyide the data subject with, or make ayailable to them, certain information in relation to 
the processing of their personal data in was set out in section 2D of the Acts.In particular. 


Section 2D provides as follows: 

(1) Personal data shall not be treated, for the purposes of section 2(l)(a) of this Act, as processed fairly unless — 
(a) In the case of data obtained from the data subject, the data controller ensures, so far as practicable, that the 
data subject has. Is provided with, or has made readily available to him or her, at least the information 
specified in subsection (2) of this section. 
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Section 2D(2)(d), in addition to specifying certain information to be provided to the data 
subject, also required that certain unenumerated information, which having regard to the 
particular circumstances of the processing operations was required in order to make that 
data processing fair to the data subject, be provided to the data subject. 

130. In respect of transparency, Article 12 GDPR states, inter alia, that: 

The controller shall take appropriate measures to provide any information referred to in 
Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to 
processing to the data subject in a concise, transparent, intelligible and easily accessible 
form, using clear and plain language, in particular for any information addressed 
specifically to a child. The information shall be provided in writing, or by other means, 
including, where appropriate, by electronic means. When reguested by the data subject, 
the information may be provided orally, provided that the identity of the data subject is 
proven by other means. 

131. Article 13 GDPR relates to information to be provided where personal data are collected 
from the data subject while Article 14 GDPR relates to information to be provided where 
personal data have not been obtained [directly] from the data subject. 

132. As part of the requirement for transparency, the GDPR also mandates that any personal 
data may only be collected and processed within clear constraints, which include that the 
data subject is fully aware of the nature and extent of the processing (as further described 
in Recital 39 and 60 of the GDPR). 


(b) in any other case, the data controller ensures, so far as practicable, that the data subject has. Is provided 
with, or has made readily available to him or her, at least the information specified in subsection (3) of this 
section — 

(i) not later than the time when the data controller first processes the data, or 

(iij if disclosure of the data to a third party Is envisaged, not later than the time of such disclosure. 

(2j The Information referred to in subsection (l)(a) of this section is: 

(a) the Identity of the data controller, 

(bj If he or she has nominated a representative for the purposes of this Act, the identity of the representative, 

(c) the purpose or purposes for which the data are intended to be processed, and 

(d) any other information which is necessary, having regard to the specific circumstances in which the data are or 
are to be processed, to enable processing in respect of the data to be fair to the data subject such as 
information as to the recipients or categories of recipients of the data, as to whether replies to guestions 
asked for the purpose of the collection of the data are obligatory, as to the possible consequences of failure 
to give such replies and as to the existence of the right of access to and the right to rectify the data concerning 
him or her. 

(3) The information referred to in subsection (l)(bj of this section is: 

(a) the information specified in subsection (2) of this section, 

(bj the categories of data concerned, and 
(c) the name of the original data controller." 

(4) The said subsection (l)(b) does not apply — 

(a) where, in particular for processing for statistical purposes or for the purposes of historical or scientific 
research, the provision of the information specified therein proves impossible or would involve a 
disproportionate effort, or 

(b) in any case where the processing of the information contained or to be contained in the data by the data 
controller is necessary for compliance with a legal obligation to which the data controller is subject other than 
an obligation imposed by contract, if such conditions as may be specified in regulations made by the Minister 
after consultation with the Commissioner are complied with. 
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2.4.2 Legal Basis for Processing 


133. The primary rules for processing personal data, as set out in Article 8 of the Charter, include 
a requirement that processing must be carried out according to a "legitimate basis" laid 
down by law. If no such basis exists then the default position is that any processing of 
personal data cannot be considered to be lawful. This requirement is enunciated at a 
national level by section 2A(1) of the Acts,^^^ which states that personal data "shall not be 
processed" unless at least one of the conditions (which are also frequently referred to as 
the "legal bases" or "lawful bases" for processing personal data) set out in that section is 
met. Accordingly, under this section, if the processing of the personal data in question does 
not satisfy at least one of these conditions, it will be not be considered lawful for the 
purposes of the Acts. 

134. The requirement that personal data must only be processed in accordance with a legal basis 
is referred to under the GDPR as "lawfulness of processing" as set out in Article 6 GDPR. 
This article provides that processing shall be lawful only if and to the extent that at least 
one of the following [legal bases] applies: 

(a) the data subject has given consent to the processing of his or her personal data for 
one or more specific purposes; 

(b) processing is necessary for the performance of a contract to which the data subject 
is party or in order to take steps at the reguest of the data subject prior to entering 
into a contract; 


Section 2A provides as follows: (1) Personal data shall not be processed by a data controller unless section 2 
of this Act (as amended by the Act of 2003) is complied with by the data controller and at least one of the 
following conditions is met: 

(a) the data subject has given his or her consent to the processing or, if the data subject, by reason of his or 
her physical or mental incapacity or age, is or is likely to be unable to appreciate the nature and effect of such 
consent, it is given by a parent or guardian ora grandparent, uncle, aunt, brother or sister of the data subject 
and the giving of such consent is not prohibited by law, 

(b) the processing is necessary — 

(i) for the performance of a contract to which the data subject is a party, 

(ii) in order to take steps at the request of the data subject prior to entering into a contract, 

(Hi) for compliance with a legal obligation to which the data controller is subject other than an obligation imposed 
by contract, or 
(iv) to prevent — 

(I) injury or other damage to the health of the data subject, or 

(II) serious loss of or damage to property of the data subject, 

or otherwise to protect his or her vital interests where the seeking of the consent of the data subject or another 
person referred to in paragraph ( a ) of this subsection is likely to result in those interests being damaged, 

(c) the processing is necessary — 

(1) for the administration of justice, 

(ii) for the performance of a function conferred on a person by or under an enactment, 

(Hi) for the performance of a function of the Government ora Minister of the Government, or 

(iv) for the performance of any other function of a public nature performed in the public interest by a person, 

(d) the processing is necessary for the purposes of the legitimate interests pursued by the data controller or 
by a third party or parties to whom the data are disclosed, except where the processing is unwarranted in any 
particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the 
data subject. 

(2) The Minister may, after consultation with the Commissioner, by regulations specify particular 
circumstances in which subsection (l)(d) of this section is, oris not, to be taken as satisfied. [Emphasis added] 
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(c) processing is necessary f or compiiance with a iegai obligation to which the controller 
is subject; 

(d) processing is necessary in order to protect the vital interests of the data subject or 
of another natural person; 

(e) processing is necessary for the performance of a task carried out in the public 
interest or in the exercise of official authority vested in the controller; 

(f) processing is necessary for the purposes of the legitimate interests pursued by the 
controller or by a third party, except where such interests are overridden by the 
interests or fundamental rights and freedoms of the data subject which reguire 
protection of personal data, in particular where the data subject is a child. 

Point (f) of the first subparagraph shall not apply to processing carried out by 
public authorities in the performance of their tasks. [Emphasis added] 

135. Article 6(3) GDPR is also relevant and explains: 

The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid 
down by: 

(a) Union law; or 

(b) Member State law to which the controller is subject. 

The purpose of the processing shall be determined in that legal basis or, as regards the 
processing referred to in point (e) of paragraph 1, shall be necessary for the performance 
of a task carried out in the public interest or in the exercise of official authority vested in 
the controller. That legal basis may contain specific provisions to adapt the application 
of rules of this Regulation, inter alia: the general conditions governing the lawfulness of 
processing by the controller; the types of data which are subject to the processing; the 
data subjects concerned; the entities to, and the purposes for which, the personal data 
may be disclosed; the purpose limitation; storage periods; and processing operations 
and processing procedures, including measures to ensure lawful and fair processing such 
as those for other specific processing situations as provided for in Chapter IX. The Union 
or the Member State law shall meet an objective of public interest and be proportionate 
to the legitimate aim pursued. 

In effect this means that EU or Member State law may further specify the legal basis for 
processing personal data in accordance with Article 6(l)(c) and Article 6(l)(e) of the GDPR. 
The 2018 Act has established further legal bases pursuant to these Articles for the 
processing of personal data (for example Section 38 of the 2018 Act). 

136. Recital 41 GDPR states: 

Where this Regulation refers to a legal basis or a legislative measure, this does not 
necessarily reguire a legislative act adopted by a parliament, without prejudice to 
reguirements pursuant to the constitutional order of the Member State concerned. 
However, such a legal basis or legislative measure should be clear and precise and its 
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application should be foreseeable to persons subject to it, in accordance with the case- 
law of the Court of Justice of the European Union (the 'Court of Justice') and the 
European Court of Eluman Rights. 

This recital is particularly important in the current context as it underlines the requirement 
of foreseeability of processing to data subjects - in other words that the legal basis or 
legislative measure which is relied on to process personal data must be sufficiently clear to 
affected persons so that they are not taken by surprise at manner in which, or purposes for 
which their personal data has been processed, or at the impact of this processing upon 
them.^^® 

2.5 Summary of the legal bases for lawful processing and relevance to this report 

137. In summary, the legal bases set out in the Acts and the GDPR are effectively twofold: 

(1) If the data subject consents to the processing of their personal data, then such 
processing is deemed lawful. 

(2) Alternatively, there are specific circumstances in which the processing of personal 
data will be deemed lawful even in the absence of consent (i.e. there are other legal 
bases). However, in each case, the lawfulness or otherwise of the processing turns 
on the data controller establishing that the processing in question is necessary for 
the particular purpose of the legal basis relied on. 

138. As will be seen from Part 3 of this Report, the question of whetherthe processing carried out 
by DEASP in relation to the issuing of the PSC is necessary in a strict legal sense is central to 
the DPC's determination as to whether there is a legal basis for such processing under the 
Acts. 

139. In the absence of consent, and as discussed further in Part 3, it appears that the most likely 
legal bases under the Acts potentially applicable to the processing in question carried out 
by DEASP appears to be those set out in section 2A(l)(c) of the Acts (now GDPR Article 
6(l)(e) as given further effect in section 38 of the 2018 Act).^^^ Those provisions legitimise 
the processing of personal data when such processing is necessary : 

(ii) for the performance of a function conferred on a person by or under an 

enactment, 

(Hi) for the performance of a function of the Government or a Minister of the 

Government, or 


See for example, Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, Revised and 
Adopted 11 April 2018 (paragraphs 10, 36, 38, 41 and 45) as adopted by the European Data Protection Board (EDPB). 
Section 38(1) The processing of personal data shall be lawful to the extent that such processing is necessary and 
proportionate for— 

(a) the performance of a function of a controller conferred by or under an enactment or by the Constitution, or 

(b) the administration by or on behalf of a controller of any non-statutory scheme, programme or funds where the legal 
basis for such administration is a function of a controller conferred by or under an enactment or by the Constitution. 
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(iv) for the performance of any other f unction of a public nature performed m 

the public interest by a person. [Emphasis added] 

140. Given the reliance by DEASP on certain provisions of the SWCA 2005 as the legal basis for 
the processing carried out by it in connection with the PSC, as discussed further in Part 3 of 
this report, the DPC has in its investigation, analysed whether there is a legal basis for such 
processing arising from the provisions at section 2A(l)(c) (ii) to (iv) of the Acts, as referred 
to above. 

141. In this regard it should be noted that while the DPC has referred throughout this report, in 
relation to the legal basis, to the functions of "the Minister" (in other words the Minister 
for Employment Affairs and Social Protection) which are referenced in the SWCA 2005, the 
functions of the Minister under the SWCA 2005 and the performance by the DEASP - as the 
relevant department of the Minister - of such functions, should be considered as one and 
the same thing for these purposes. This arises from section 6(3) of the Ministers and 
Secretaries (Amendment) Act, 1939 which states that: 

Whenever any particular power, duty, or function is now or shall hereafter be conferred 
or imposed by statute on or shall be transferred under this section to a Minister having 
charge of a Department of State, the administration and business in connection with the 
exercise, performance, or execution of such power, duty, or function shall be deemed to 
be allocated to the said Department of State. 

142. Accordingly the term "Minister" is therefore used interchangeably with the term "DEASP" 
throughout this report in the context of the processing being carried out which is the 
subject matter of this report. Elowever, for the avoidance of doubt, the Minister is not the 
data controller in question and instead, DEASP is the controller for the processing carried 
out which is under examination in this report. 

2.5.1 The concept of necessity in data protection law 

143. As referred to above, it must be emphasised that in respect of all of the potential legal bases 
set out in section 2A(l)(c) of the Acts, there is a requirement that the processing is 
necessary for the pursuit of the relevant interest (i.e. the purpose) captured by the legal 
basis in question. In this regard, as noted above. Article 8(1) of the Charter makes it clear 
that processing carried out on personal data must be done by reference to "specified 
purposes". 

144. The central question as to whether there is a legal basis for DEASP to process personal data 
in connection with the PSC is therefore is inextricably bound up with whether the processing 
is "necessary" in a legal sense for one or more of the relevant statutory purposes in Section 
2A(l)(c) of the Acts. As noted above, interpretation of the Acts must be done in conformity 
with EU law. It is therefore useful to consider how the concept of necessity is applied by the 
CJEU in the data protection context because the DPC must also consider the concept of 
necessity in considering whether there is a legal basis for DEASP to carry out processing of 
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personal data in connection with the PSC and its underlying registration (SAFE registration) 
process. 

145. First, the concept of necessity has an autonomous meaning in EU law, which the CJEU has 
said, "must be interpreted in a manner which fully reflects the objective of [the] directive". 

146. Second, the concept of necessity is generally interpreted strictly by the CJEU, given that 
derogations or limitations on data rights are to be interpreted strictly. 

147. Third, any interference with data protection must be capable of achieving its stated 
objective. 

148. Fourth, in general, to satisfy the necessity test, there ought to be no equally effective 
available alternative. 

149. Fifth, any interference arising from the processing in question should be the least restrictive 
of the right. 


CJEU, Case C-524/06 Huberv v Bundesrepublik Deutschland, 16 December 2008, paragraph 52. 

See for example, CJEU, Case C-13/16 Valsts policijas RJgas regiona pdrvaldes Kdrtibas policijas where the CJEU stated 
that "As regards the condition relating to the necessity of processing personal data, it should be borne in mind that 
derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly 
necessary ..." . (Emphasis added). 

In the Rigas Police case. Advocate General Bobek observed (at paragraph 71) that: "The examination of 
proportionaiity is an assessment of the relationship between aims and chosen means. The chosen means cannot go 
beyond what is needed. That logic, however, aiso works in the opposite direction: the means must be capable of 
achieving the stated aim ." (Emphasis added). 

In Joined Cases C-465/00, C-138/01 and C-139/01 Osterreichischer Rundfunk the impugned provisions of national law 
required public bodies to communicate the names, together with the salaries and pensions exceeding a certain level 
paid by them to their employees for the purpose of drawing up an annual report to be made available to the general 
public. The CJEU accepted that the legislation had the legitimate objective of exerting pressure on public bodies to 
keep salaries within reasonable limits and of ensuring the thrifty and appropriate use of public funds. The CJEU 
ultimately held (paragraph 88) that the assessment of the necessity and proportionality of such publication was a 
matter for the national court. However in doing so, the CJEU stated that the national court should consider "whether 
such an objective could not have been attained equally effectively by transmitting the information as to names to the 
monitoring bodies alone . Similarly, the question arises whether it would not have been sufficient to inform the generai 
pubiic oniy of the remuneration and otherfinancial benefits to which persons employed by the public bodies concerned 
have a contractual or statutory right, but not of the sums which each of them actuaily received during the year in 
question, which may depend to a varying extent on their personal and family situation." (Emphasis added). 
Separately, in Case C-291/12 Michael Shwartz v Stadt Bochum, the CJEU again considered whether there was any 
alternative to the measure challenged (the requirement under a Council Regulation regarding security features and 
biometrics in passports and travel documents, which required passport applicants to submit to having their 
fingerprints taken as a precondition to being granted a passport) which would interfere less with the rights under 
Articles 7 and 8 of the Charter but still contribute effectively to the objectives of the EU in question. Here the CJEU 
stated that the only real alternative to the taking of finger prints was an iris scan. However, the CJEU noted that iris- 
recognition technology was not yet as advanced as, and was considerably more expensive than, fingerprint 
recognition technology and was therefore less suitable for general use. On the basis of these factors, the CJEU 
concluded that there were no measures which would be both sufficiently effective in achieving the aim of the law 
and less of a threat to the rights protected by Articles 7 and 8 of the Charter than the taking of fingerprints. 

For example in Volker und Markus Schecke (Joined Cases C-92/09 and C-93/09) it was held by the CJEU that, when 
examining the necessity of the publication of the personal data of all beneficiaries who had received public funds 
pursuant to EU legislation under the Common Agricultural Policy, the legislature had not taken into account 
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150. Sixth case law from the CJEU also indicates that even where national legislation prescribes 
for interferences with data protection rights, the concept of necessity must still be satisfied 
insofar as there must be clear and precise rules regarding the necessity for the processing 
of personal data in question.In this respect, it is notable that pursuant to Article 52(1) of 
the Charter, any limitations on Charter rights must "provided for by law".^^'^ 

2.5.2 Statutory exemptions from the rules set out in the Acts 

151. Finally, before considering the question of whether there is a legal basis under the Acts for 
the processing of personal data by DEASP in connection with the PSC, it should be noted 
that Section 8 of the Acts identified circumstances in which the rules/ restrictions in those 
Acts on the processing of personal data "do not apply". 

152. That is to say, if a particular processing operation comes within the scope of one of the 
identified exemptions set out in Section 8, the starting point is that compliance with 
substantive requirements of the Acts in relation to the processing of personal data is not 
required. 

153. In practical terms, therefore, if a data controller demonstrated that it is entitled to avail of 
a statutory exemption provided for in Section 8 of the Acts, it would not have to comply 
with the data protection obligation to have a legal basis for the processing of personal data 
to which the exemption applied. 

154. Section 8 has now been replaced by a series of provisions in the GDPR and Data Protection 
Act 2018, including Article 23 GDPR (as implemented by various provisions of the 2018 Act). 

155. It is important to be bear in mind, however, that, because the statutory exemptions 
provided for at Section 8 of the Acts cut across a fundamental right of the individual (being 
a right that is protected under Article 8 of the Charter), they must be construed narrowly. 


alternative, less intrusive measures, such as iimiting publication to those beneficiaries according to the periods for 
which they received aid, or the frequency or nature and amount of aid received. The CJEU emphasised that 
"derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly 
necessary" and that it was "possible to envisage measures which affect less adversely that fundamental right of 
natural persons and which still contribute effectively to the objectives of the European Union rules In question...". 
Accordingly, the national provisions in question were invalid having regard to the interference with the right to 
privacy under Articles 7 and 8 of the Charter. 

In Joined Cases C 203/15 and C 698/15 Tele2 Sverige, the CJEU stated that provisions of national law "must, first, lay 
down clear and precise rules governing the scope and application of such a data retention measure and imposing 
minimum safeguards, so that the persons whose data has been retained have sufficient guarantees of the effective 
protection of their personal data against the risk of misuse. That legislation must, in particular, indicate in what 
circumstances and under which conditions a data retention measure may, as a preventive measure, be adopted, 
thereby ensuring that such a measure is limited to what is strictly necessary...". (Emphasis added). In Case C-201/14 
Smaranda Bara, the CJEU considered that although there was a legislative basis for some sharing of data between 
public bodies, the Romanian government had failed to identify any necessity for the particular data shared, therefore 
could not rely on the general terms in the statute. 

As was observed in Opinion 1/15 (EU:C:2017:592) by the CJEU, this provision in the Charter "implies that the legal 
basis which permits the interference with those rights must itself define the scope of the limitation on the exercise 
of the right concerned". 
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156. The DPC noted in its Draft Report (paragraph 100) delivered on 28 August 2018, that at no 
time had it been suggested by DEASP that the PSC stands outside the legal framework 
provided for by the Acts. Accordingly, the DPC was of the view, as recorded in the Draft 
Report, that the PSC is subject to the full rigours of the legal rules established under the 
Acts. However in DEASP's submissions^^^ on the Draft Report, DEASP referred to Section 
8(b) of the Acts which states as follows: 

Any restrictions in this Act on the processing of personal data do not apply if the 
processing is 

(b) reguired for the purpose of preventing, detecting or investigating offences, 
apprehending or prosecuting offenders or assessing or collecting any tax, duty or other 
moneys or owed or payable to the State, a local authority or a health board, in any case 
In which the application of those restrictions would be likely to prejudice an of the 
matters aforesaid. 


157. In relation to this provision, DEASP stated that the DPC had given no attention to this 
provision in the Draft Report and that this was a significant oversight. DEASP referenced a 
comment in a DPC audit from 2008/2009 of the Revenue Commissioners. In the relevant 
comment, the DPC had observed that the Revenue occupied a "special position" as regards 
the broad exemptions in Section 8 of the Acts regarding the processing of personal data for 
the assessment or collection of tax but that the exemptions were still subject to the 
prejudice test in each case. In referencing this comment of the DPC, DEASP drew an analogy 
with its own position, asserting that it similarly occupied a "special position" as regards, 
inter alia, its responsibilities for preventing and detecting identity fraud. DEASP contended 
that the DPC had not acknowledged this "special position" nor discussed Section 8 in the 
Draft Report in relation to either the data protection framework or in the discussion around 
legal basis. DEASP also referred to the further information which it had provided to the DPC 
in relation to the rationale for prevention of offences and stated that it reserved its position 
in relation to the applicability of Section 8(b). 

158. The DPC considers that DEASP has not made out any cogent arguments as to why the 
processing in question falls within Section 8(b) of the Acts - save for the general assertions 
made by DEASP that its "special position" as the holder of the PSI dataset and a body 
responsible for preventing and detecting identity fraud has not been acknowledged in the 
report. While DEASP alleges that it was a significant oversight of the DPC not to discuss the 
potential application of this restriction, the DPC does not agree. Section 8(b), as a 
derogation from the obligation on a controller to have a legal basis for processing, amounts 
to a limitation on the rights of a data subject. In accordance with Article 52 of the Charter 
and the case law of the CJEU, such "derogations from and limitations on the protection of 


DEASP's Response to the Draft Report, Part 2, Section 3.1.5 at paragraphs 7 - 11. 
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personal data should apply only In so far as Is strictly necessory".^^® Accordingly, Section 8(b) 
in no way represents a blanket exemption from the rules for processing. In this vein, it is for 
a data controller to present the analysis and justifications as to why it believes that it is open 
to it to avail of such an exemption in relation to a particular set, or sets, of data processing 
operations. 

159. The DPC acknowledges (as it does elsewhere in this report) that insofar as DEASP performs 
an identity-authentication function that this has the objective of preventing or detecting 
offences in the form of identity fraud within the meaning of Section 8(b) of the Acts. 
However in the absence of any level of analysis by DEASP demonstrating the specific 
applicability of Section 8(b) to DEASP's position and particular processing operations, it is 
not clear that the statutory condition of the processing being " required " (within the 
meaning of Section 8(b) of the Acts) for this purpose would be satisfied. 


CJEU, Joined cases C-203/15 and C-698/15, Tele2 Sverige AB v Post- och telestyrelsen, and Secretary of State for the 
Home Department, 21 December 2016, para 96. 
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PART THREE 


LAWFULNESS OF PROCESSING - LEGAL BASIS 
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3.1 Introduction 


160. Part 2.4 above outline essential conditions for the lawful processing of personal data as 
required under section 2A of the Acts. In particular, processing of personal data under the 
Acts must meet one of the criteria set out in section 2A(l)(a) - (d) (referred to as the "legal 
basis" or "lawful basis" for processing). A legal basis under section 2A is a necessary 
condition for processing of personal data, however, a controller must also comply with the 
data protection principles set out in section 2 of the Acts, as well as the other legal 
obligations which apply to data controllers under the Acts. 

161. As a preliminary matter, the DPC is satisfied that the PSC card of itself contains personal 
data about identified individuals, in automated form insofar as it stores information on its 
magnetic stripe and electronic chip and in manual form insofar as the PSC records legible 
data on its face.^^^ 

162. The DPC is also satisfied that DEASP controls the content and use of personal data contained 
in the PSC. As referred to earlier in this report, DEASP's Privacy Policy also records that it is 
the data controller for personal data processed by it. The DPC is therefore satisfied that 
DEASP is a data controller for the purposes of issuing and use of the PSC. 

163. The DPC is further satisfied that DEASP acts as a controller of personal data collected, 
stored, disseminated and consulted in the context of SAFE 2 registration which is the 
identity authentication process (discussed further below) conducted by DEASP and which is 
the precursor to issuing a PSC (where the relevant requirements of that process have been 
satisfied). 

164. Part 3 focusses on the legislation, practices and Government Decisions relating to the PSC 
and SAFE registration, and assesses how these measures comply with the Acts. The analysis 
is concerned with whether the processing of personal data by DEASP, i.e. for identity 
authentication under the SAFE framework in the context of issuing PSCs, has a legal basis 
under section 2A of the Acts. Part 3.6 addresses specific data retention concerns in relation 
documentation collected and retained by DEASP during the SAFE registration process. 

3.2 DEASP's legal basis for processing personal data in connection with SAFE 2 

3.2.1 DEASP's current Privacy Statement and the Comprehensive Guide 

165. DEASP's current Privacy Statement,published on its website on 16 July 2018(and last 
modified 30 April 2019), addresses the legal basis for the processing of personal data at 
section 4 ("The Legal Basis for Processing") as follows: 


See Part 3.2.7 of the report. 

Department of Employment Affairs and Social Protection Privacy Statement , published on welfare.ie. 
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4.1 The Department has a number of Acts under which personal data may be legally 
processed. Our main legislation is included in the Social Welfare Consolidation Act, 2005, 
as amended. However, we have a number of other pieces of primary and secondary 
legislation which allows us to process personal data. Should you wish to know more 
about these, please see the list which is included as an appendix to this document. 

4.2 The Department is also entitled to process personal data under other legislative 
provisions that provide the basis for all Government Departments to administer the 
range of services and supports as set out by successive Government decisions. 

166. It is notable that this statement refers to legislation as the [legal] basis for processing by the 
Department. However, as will be discussed later in this report, the mere existence of 
legislation is not, in and of itself, sufficient as a legal basis to justify the processing of 
personal data. As referred to in Part 2.5.1, which discussed the concept of necessity as a 
core concept in relation to data protection, in the absence of consent, any processing of 
personal data which is sought to be justified by reference to another legal basis must always 
be necessary for the objective pursued. This means that there must be compliance with the 
principles set out in Part 2, which inform how the concept of necessity must be applied. 
Therefore, simply pointing to a legislative provision as the purported legal basis for processing 
personal data is not sufficient of itself to satisfy the requirement to have a legal basis for the 
processing in question. 

167. Section 5 of the DEASP Privacy Statement, entitled "The Categories of processing 
Undertaken by this Department" states: 

"We process personal data for the following purposes: 

5.1 To provide personal public service numbers (PPSNs) 

5.2 To undertake SAFE registrations in order to validate and authenticate identity 

and to provide Public Services Cards (PSCs) 

[.....]" 

168. In DEASP's Comprehensive Guide in response to the question "What is the legal basis for 
SAFE registration?" it is also stated that "the main legal powers providing for and relating 
to SAFE registration are set out in the Social Welfare Consolidation Act, 2005 (as 
amended)".That answer refers to sections 241, 247C, 262, 263, 263A, and 263B of the 
SWCA 2005. 

3.2.2 General - Processing of personal data in connection with SAFE registration 

169. In the paragraphs that follow, the SAFE registration system is described. The DPC notes that 
DEASP has not taken issue with the DPC's description of same and that DEASP has stated it 
relies on this description^^®. 


DEASP's Comprehensive Guide, Response to question 14 ('What is the legal basis for SAFE registration'?). 
DEASP's Response to the Draft Report, Part 2 paragraph 4. 
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170. The Standard Authentication Framework Environment (SAFE) system is a rules based 
standard for authentication of identity, adopted pursuant to a 2005 Government Decision 
(set out further in Part 1 above). The DEASP's Comprehensive Guide sets out that the SAFE 
registration is the process used by the DEASP 

to establish and verify a person's identity so that it can be sure that - 

a) the person using its service is the person they claim to be, 

b) that nobody else is using that person's identity for the purpose of claiming a 
payment or service, 

c) that the person is not claiming another payment or using another service under a 
different identity and in addition, 

d) to minimise the reguirement for people to provide the same identity information 
over and over again when accessing different services^'^^. 

171. The SAFE standard has four levels - SAFE 0 to SAFE 3 - such that: 

SAFE 0 No assurance of identity 

SAFE 1 Balance of probabilities (the minimum authentication level for the 

allocation of a PPS Number) 

SAFE 2 Substantial assurance (the minimum authentication level for issuing a 

Public Services Card) 

SAFE 3 Beyond reasonable doubt (typically by use of technology such as 

fingerprinting)^'*^ 

112. Notwithstanding that DEASP's Comprehensive Guide, referenced above, provides that "the 
main legal powers providing for and relating to SAFE registration are set out in the Social 
Welfare Consolidation Act, 2005 (as amended),as discussed in this report, the SAFE 
process is not actually provided for in legislation (in either the SWCA 2005 or otherwise).This 
position was stated in the Draft Report and DEASP takes issue with this characterisation. 
DEASP claims that it is "seriously misleading" to state that SAFE is not provided for in 
legislation or that there is no legislative basis for SAFE.^^'^ While DEASP accepts that the term 
"Standard Authentication Framework Environment" and the acronym "SAFE" are not 
present in the SWCA 2005, DEASP considers that it is not uncommon for a particular 
administrative system to receive or acquire a name which is not to be found in legislation. 
Instead, DEASP states that the crucial matter is whether, substantively, the system is 
underpinned by legislation. 

173. As will be seen later in this report, the DPC acknowledges that the SAFE 2 registration 
system corresponds to elements of the SWCA 2005 provisions.Flowever, the DPC 


I'll DEASP's Comprehensive Guide, Response to question 1 ("What is SAFE registration?") page 8. 

DEASP's Comprehensive Guide, Response to question 1 ("What is SAFE registration?") page 8. 

DEASP's Comprehensive Guide, Response to question 14 ('What is the legal basis for SAFE registration'?), 
i'*'* DEASP's Response to the Draft Report, Part 2, Section 3.1.5 at paragraphs 5-8. 

See Part 3.2.7 of the report. 
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maintains its position that SAFE registration, as an identification authentication process that 
is applied in practice, and is referred to for public purposes by that name, is not expressly 
referred to in the SWCA 2005. Notwithstanding the DEASP's position that such an approach 
is not uncommon, the DPC considers that this is a central issue with regard to the 
transparency requirements concerning the processing by the DEASP, which are considered 
in Part 4 of this report. 

3.2.3 Personal data processed by DEASP and the Interaction between SAFE 2 and PSI 
dataset 


174. SAFE 2 is stated to be the minimum authentication level for issuing a PSC. In practice, the 
SAFE registration process is applied by DEASP for the purposes of verifying identify.As 
explained in the Comprehensive Guide, DEASP is the sole body in the State currently 
undertaking SAFE registrations.The Comprehensive Guide also explains the interaction 
between SAFE registration and the PSI dataset (the items comprising the PSI dataset are set 
out below in the footnote)^^^ stating that: 


During a SAFE 2 registration, those elements of the [PSI dataset] that are already held 
for that person are verified and updated as necessary and missing elements are collected 
and verified. In that way, [DEASP] holds a complete [PSI dataset] for each person that it 
has verified to SAFE 2 standard. 


In response to Question 1 "What is SAFE registration?", it states that SAFE registration is "the process used by DEASP 
to establish and verify a person's identity." 

Comprehensive Guide response to Question 22 ("When SAFE registration data is collected from individuals through 

Government bodies, is that registration data kept on one centralised State register?") at page 25 

The PSI dataset consists of the items comprisingthe "Public Service Identity" which is defined at Section 262(1) SWCA 

2005 to be the information specified in Section 262(3) and the PPSN . The items set out in at Section 262(3) are as 

follows: 

'(a) For the purposes of allocating and issuing a personal public service number, a person or, in the case of a deceased 
person, a personal representative, who has any transaction with a specified body shall give to the Minister the 
following information in relation to the person or the deceased person, as the case may be: 

(i) surname; 

(ii) forename; 

(iii) date of birth; 

(iv) place of birth; 

(v) sex; 

(vi) all former surnames (if any); 

(vii) all former surnames (if any) of his or her mother; 

(viii) address; 

(ix) nationality; 

(x) date of death; 

(xa) certificate of death, where relevant; 

(xb) where required, a photograph of the person, except where the person is deceased; 

(xc) where required, the person's signature, except where the person is deceased; 

(xd) any other information as may be required for authentication purposes that is uniquely linked to or is capable of 
identifying that person; 

(xi) any other information that may be prescribed which, in the opinion of the Minister, is relevant to and necessary for 
the allocation of a personal public service number.' 
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175. According to the information contained in the Comprehensive Guide, persons undergoing 
SAFE registration are required to provide the following supporting documentation which 
differ depending on a person's nationality and circumstances^^®: 

(A) Evidence of Identity 


Irish citizens born in the 

Republic of Ireland 

Current Irish passport, current Irish or UK driving licence or 
Irish learner driver permit. 

If adopted, an adoption certificate. 

Irish citizens via 

naturalisation or 

Foreign Birth 

Registration 

Current Irish passport or Certificate of Naturalisation or 
Foreign Birth Registration certificate and Irish or UK driving 
licence or Irish learner driver permit. 

Irish citizens born in 

Northern Ireland and 

UK citizens 

Current passport, or birth or adoption certificate and current 
driving licence. 

EU citizens 

Current passport or national identity card. 

Non-EU nationals 

Current passport or 1951 (Geneva Convention) travel 

document. 


(B) Evidence of address (any of the following documents): 

• A household utility bill, 

• An official letter/document, 

• A financial statement, 

• Property lease or tenancy agreement, 

• Confirmation of address by a third party such as a school principal/administrator, 
accommodation/property owner or manager. 

(C) Additional documents to confirm identity which can include any or all of the following: 

• Irish Free Travel Pass, 

• Medical card issued under the General Medical Service, 

• European health insurance card, 

• Credit/debit card, 

• Other forms of ID, 

• Student card. 


176. As appears from the paragraph above, DEASP processes personal data consisting of all of 
the elements of the PSI dataset which may in turn need to be proved by the items described 
above in relation to: (A) evidence of identity; (B) evidence of address; and (C) additional 


Comprehensive Guide to Safe Registration and the Public Services Card, see answer to question 8, "What do I have 
to bring to my SAFE registration appointment?" 
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documents to confirm identity. The references in this report to the processing carried out by 
DEASP in relation to SAFE registration and the issuing of PSCs relate to this personal data, 
unless other or specific types of personal data are being referred to. 

177. It is also important to note that a second report will consider processing of personal data 
which is not covered by the preceding paragraph, but which takes place in the context of 
SAFE 2. This will include processing operations, including processing of sensitive personal data 
(now known as special category personal data under the GDPR), and personal data consisting 
of arithmetic templates of photographs (i.e. the data used by DEASP to conduct processing 
by way of facial matching) amongst other things. As stated in Part 1, processing by DEASP 
involving facial matching in relation to SAFE registration and the issuing of PSCs will be the 
subject of a separate report by the DPC. That report may also address the processing of other 
personal data which falls outside the personal data described above at paragraph 175 to 176. 

178. As regards the PSI dataset, section 262(5) SWCA 2005 is also relevant. It states that where 
a specified body collects details of a person's public service identity (PSI) in the course of a 
transaction, this information is also deemed to be collected for the purpose of maintaining 
a person's public service identity (the PSI dataset). DEASP, in its response to Question 22 of 
the Comprehensive Guide, ("When SAFE registration data is collected from individuals 
through Government Bodies, is that registration data kept on one centralised State 
Register?") confirms that a person's PSI dataset is "updated as necessary" in the course of 
SAFE 2 registration. 

179. While DPC understands that DEASP has a core role in the maintenance of the PSI dataset, 
for the avoidance of doubt, the DPC does not consider that section 262(5) SWCA 2005 
provides a legal basis for DEASP to carry out processing of personal data by way of identity 
verification/ authentication in respect of persons engaging in transactions with specified 
bodies (which are not the DEASP). Section 262(5) simply allows for DEASP to receive 
information which has been verified by other public bodies. 

180. In Part 4 of this report, the DPC has examined issues concerning the sharing of information 
from the PSI dataset between specified bodies and DEASP and the updating of the PSI 
dataset in the context of the transparency of these interactions and the information made 
available to data subjects. 

3.2.4 Methods of SAFE registration 


In response to the questions posed by the DPC during the course of this investigation, the DEASP confirmed that they 
operate two datacentres that host the PSI and the SCV ("Single Customer View") datasets and that those datacentres 
are under the direct control of DEASP. DEASP also confirmed that the collection and maintenance of the PSI data is 
managed by IT systems that are hosted within DEASP's datacentres. In the Comprehensive Guide, in response to 
questions 22 and 52, it states that the DEASP is the controller for the Single Customer View. The SCV operates to 
enable the shared use of the PSI dataset with specified bodies, as set down in Schedule 5, SWCA 2005. 
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181. The DEASP's Comprehensive Guide states in response to Question 7 ("How do people 
register to SAFE 2 standard?") that " usual method" [emphasis added] of SAFE 2 registration 
usually involves: 

a combination of all of the following - 

• a face-to-face meeting at an Intreo centre or a dedicated SAFE registration 
centre 

• the collection and verification of the basic identity information known as the 
person's Public Service Identity (PS!) data set (See Question 18), 

• the examination/validation/verification of at least two documents 
supporting identity, and 

• photo-matchingf^^ 

182. However, as further indicated in the answer to Question 7 of the Comprehensive Guide, in 
some cases DEASP departs from the normal SAFE 2 registration process where an individual 
has partially verified their identity in the context of another public service transaction (such 
as an application for a passport or driving licence). In such cases DEASP developed an 
alternative practice (which has since been discontinued) whereby it writes to individuals 
who have recently verified their identity with another public body and invites them to 
provide outstanding information in order to register the person to SAFE 2 standard and to 
issue a PSC.^^^ This is further considered at Part 3.5. Separately, in 2012, the Department 
also operated a "reduced registration process", by registering people for a PSC who were 
deemed "low risk customers". They obtained "data already on record with the Passport 
Qffice", which resulted in them not having to attend a face-to-face interview.The 
Department envisaged that such a process would support "the issuance of the PSC to a 
significant proportion of the Department's customers" who would be entitled to a Free 
Travel Pass. The Department continued this process with persons over the age of 66 in 
2013. 

3.2.5 DEASP's position with regard to legal basis for processing 


DEASP's answer to Question 7 of the Comprehensive Guide explains that the photo taken for SAFE 2 verification is 
"run through software to check against other photos that have already been taken during other SAFE registrations". 
In subsequent correspondence with the DPC, DEASP outlined that this process is achieved by processing an 
individual's SAFE 2 photograph using specialised facial matching software (Cogent Facial Image Management System 
("CFIMS")). This software creates an arithmetic template of the registrant's facial features, to be compared against 
templates of other SAFE registrants. (As noted in Part 1.2, the issue of facial matching processing of data will be 
considered by the DPC in a separate subsequent report). 

In response to questions posed by the DPC as part of this investigation, the DEASP explained it has two postal process 
in which the PSI data can be updated. The first way is with a PSCl form (a copy of which was provided to the DPC by 
DEASP with its submissions on the Draft Report). In such instances, where an individual has an interaction with 
another public body which has gathered most SAFE registration data, and where the data collected is matched against 
data held on the DEASP system, the customer Is sent a PSCl form to complete the SAFE registration process and with 
their consent the DEASP uses the photo to complete registration. The second way is with a PSC2 form, which is used 
'for low risk categories of DEASP customers', which meet a number of criteria. The legal basis for this practice Is 
considered at Part 3.5. 

Department of Social Protection, Annual Report 2012, pp. 30-31. 

Department of Social Protection, Annual Report 2013, pp.34 -35. 
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183. At Part 2.5 of the report, the DPC identified the provisions under Section 2A of the Acts 
which it considered could be the most likely legal bases potentially applicable to the 
processing in question carried out by DEASP. As appears from the DEASP Privacy Policy and 
DEASP's Comprehensive Guide, quoted above, the specific provision, or condition, under 
Section 2A of the Acts on which DEASP asserts that it has a legal basis for processing 
personal data has not been identified in those documents. Notwithstanding that DEASP 
omits to identify this provision in is Privacy Policy and Comprehensive Guide, in its 
submissions to the DPC following delivering of the Draft Report, DEASP confirmed that it 
relies primarily on the legal bases provided under section 2A(l)(c)(ii) and/or section 
2A(a)(c)(iii) of the Acts^^^ i.e. that processing of personal data in the context of the PSC and 
SAFE is necessary for the performance of a function: 

conferred on a person by or under an enactment (i.e. the SWCA 2005) [Section 
2A(l)(c)(iii)]; 

and/or of the Government or a Minister of the Government (i.e. the Minster for 
Employment Affairs and Social Protection) [Section 2A(l)(c)(iii)] 

184. DEASP states that there is a degree of overlap in these conditions and that if it shows that 
the former condition is met because the processing is necessary for the performance of a 
function conferred on a person, namely the Minister, under an enactment, then the latter 
condition is also met. DEASP states in this regard that it is confident that it can demonstrate 
that the processing of personal data is necessary for the performance of a function 
conferred on a person by or under an enactment, that enactment being the SWCA 2005. 
Elowever DEASP also states that it reserves the right to rely on other legal bases, including 
Section 2A(l)(c)(iv) of the Acts which applies to processing which is necessary "for the 
performance of any other function of a public nature, performed in the public interest by a 
person". DEASP also states that Section 2A(l)(b)(iii) of the Acts which applies to processing 
necessary "for compliance with a legal obligation to which the data controller is subject 
other than an obligation imposed by contract" may have relevance. However as regards 
these latter two conditions which DEASP has flagged as potentially applicable legal bases, 
DEASP has not engaged in any further detail by way of explanation or justification as to why 
it may be entitled to rely on same. 

185. Accordingly, the DPC has focused its assessment in the main on whether DEASP has a legal 
basis (i.e. whether the processing is necessary) by reference to the performance of a 
function conferred on a person by or under enactment^^® or for the performance of a 
function of the Government or a Minister of the Government^^^ for processing personal 
data in connection with the PSC and SAFE registration. However, for completeness, the DPC 
has also considered whether a legal basis for DEASP's processing in this context arises from 
Section 2A(l)(c)(iv) - performance of a function of a public nature in the public interest, as 
the DPC considers that this may be closely related to the other two legal bases primarily 
relied on by DEASP. As DEASP has not put forward any demonstration as to how section 


DEASP's Response to the Draft Report, Part 2, Section 3.1.11 at paragraphs 3 - 16. 
Section 2A(l)(c)(ii) of the Acts. 

Section 2A(l)(c)(iii) of the Acts. 
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2A(l)(b)(iii) of the Acts (which applies to processing necessary "for compliance with a legal 
obligation to which the data controller is subject other than an obligation imposed by 
contract") might potentially apply, the DPC has not considered this as a potentially 
applicable legal basis. 

3.2.6 DPC's approach to analysing whether there is a legal basis for DEASP's processing 

186. The DPC's analysis has been carried out by reference to two separate scenarios. Firstly the 
DPC has assessed whether there is a legal basis for the processing of personal data by DEASP 
in connection with SAFE registration and the issuing of the PSC where the personal data 
being processed is that of persons claiming, presenting for payment of or receiving a benefit 
from DEASP (such persons have also been referred to as benefit claimants in this report). 
The second scenario which the DPC has assessed is whether there is a legal basis for the 
processing of personal data by DEASP in connection with SAFE registration and the issuing 
of the PSC where the personal data being processed is that of persons who are not claiming, 
presenting for payment of or receiving a benefit from DEASP but rather are persons seeking 
to carry out a transaction with another public body (not the DEASP). 

187. In the first instance however, it is important to highlight that DEASP has a fundamental 
objection to this approach being adopted by the DPC to its analysis. In this respect, DEASP 
contends that "a false dichotomy has been created by the DPC between those claiming 
benefits from DEASP and those transacting with [other] specified bodies" The DPC 
understands that, in essence, DEASP considers the DPC to be is incorrect to have focused 
its analysis as to the lawfulness of the processing by reference to the nature of the 
transaction for which a PSC is issued (i.e. a transaction where a benefits claimant seeks a 
payment or receive a benefit on one hand versus a transaction between a person and 
another specified body on the other hand). Instead DEASP in effect contends that the focus 
of the analysis as to whether there is a lawful basis should be based on the statutory 
provision which provides for the power of DEASP (i.e. exercising the power of the Minister) 
to issue a PSC (Section 263(1) of the SWCA 2005). The DPC takes account of the issues raised 
by DEASP in this regard the analysis that follows, particularly in Part 3.2.8. 

188. For the purpose of carrying out this analysis, the DPC firstly considers immediately below, 
the relevant provisions of the SWCA 2005 and the practical application of the SAFE 
registration process, including whether the latter is provided for by the former. 

3.2.7 Relevant legislative provisions concerning SAFE registration and the issuing of PSCs 

189. The SWCA 2005 contains provisions which govern the issue and use of the PSC. The PSC 
contains a contactless electronic storage chip which records the name of the holder, the 
person's PPSN, the person's photograph, their signature, an issue number for the PSC, the 
expiry date of the PSC, the person's date and place of birth, the person's sex, the person's 
nationality, all former surnames of the person, and all former surnames of the person's 


DEASP's Response to the Draft Report, Part 1, paragraph 36. 
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mother.^^^The card also records information on a magnetic stripe, and displays the person's 
name, photograph, PPSN, and signature on the printed surface of the card.^“ Each card is 
valid for up to seven years. 

190. Sections 263, 263A, and 263B of the SWCA 2005 govern the technical implementation of 
the PSC, and the requirements for issue and use of the card. Section 263(1) of the SWCA 
2005 provides that the Minister may issue a PSC, in such form as the Minister considers fit 
for the purposes of carrying out a transaction.The Minister shall not issue a PSC to a 
person unless the Minister is satisfied as to the identity of the person to whom the PSC is 
to be issued.However, the SWCA 2005 does not specifically set out what constitutes 
"being satisfied as to the identity of the person" in question. The SWCA 2005 does set out 
in section 263B (1) in non-exhaustive format, certain measures which the Minister may take 
in order to satisfy himself or herself as to identity. In this respect. Section 263B(1) provides 
that for the purposes of satisfying himself or herself as to the identity of a person and 
"without prejudice to any other method of authenticating the identity of that person" the 
Minister may request that person to - 

(a) to attend at an office of the Minister or such other place as the Minister may 
designate as appropriate, 

(b) to provide to the Minister, at that office or other designated place, such 
information and to produce any document to the Minister as the Minister may 
reasonably reguire for the purposes of authenticating the identity of that person, 

(c) to allow a photograph or other record of an image of that person to be taken, at 
that office or other designated place, in electronic form, for the purposes of the 
authentication, by the Minister, at any time, of the identity of that person, and 

(d) to provide, at that office or other designated place, a sample of his or her 
signature in electronic form for the purposes of the authentication, by the Minister, 
at any time, of the identity of that person. [Emphasis added] 

(2) The Minister shall retain in electronic form — 

(a) any photograph or other record of an image of a person taken pursuant to 
subsection (l)(c), and 

(b) any signature provided pursuant to subsection (l)(d). In such manner that allows 
such photograph, other record or signature to be reproduced by electronic means. 
[Emphasis added]. 


This is provided for by section 263(1B) SWCA 2005. 

This is provided for by section 263(1A) SWCA 2005. See also the Comprehensive Guide, response to Question 41 
("What PSI data is either stored on the card or appears on the front of the card?") 

Comprehensive Guide, response to Question 23 ("How frequently will an individual be required to update their data 
for SAFE?") 

Section 262(1) SWCA 2005 provides "transaction" means— 

(a) an application, 

(b) a claim, 

(c) a communication, 

(d) a payment, or 

(e) a supply of a service, 

relating to a public function of a specified body which relates to a natural person. 

163 Section 263(1C), SWCA 2005. 
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191. As referenced above, DEASP's Comprehensive Guide states (in response to Question 7 
"How do people register to SAFE 2 standard?") that SAFE 2 registration usually involves: 

a combination of all of the following - 

• a face-to-face meeting at an Intreo centre^^^ or a dedicated SAFE 
registration centre 

• the collection and verification of the basic identity information known as 
the person's Public Service Identity (PS!) data set 

• the examination/validation/verification of at least two documents 
supporting identity, and 

• photo-matching. 

192. Accordingly, while the SAFE registration process is not referred to by name/ acronym at all 
in the SWCA 2005, by comparing the specified means of identity verification/authentication 
set out in Section 263B SWCA 2005 with what is set out above in the Comprehensive Guide, 
it is clear that the SAFE 2 registration requirements correspond to elements of section 263B 
SWCA 2005. The below table illustrates the convergences between the identity 
authentication means which are expressly referenced in section 263B and the elements of 
SAFE registration as identified in the DEASP's Comprehensive Guide. 


SAFE 2 Registration Steps (per Question 1, 
DEASP Comprehensive Guide) 

Corresponding Legislative Provision (of 
the Social Welfare (Consolidation) Act 
2005) 

a face-to-face meeting at an Intreo centre or a 
dedicated SAFE registration centre 

Section 263B(l)(a) 

the collection and verification of the basic 

identity information known as the person's 
Public Service Identity (PSI) data set 

Section 263B(l)(b), 263B(l)(c), 

263B(l)(d) 

the examination/validation/verification of at 
least two documents supporting identity 

Section 263B(l)(b), 263B(l)(c), 

263B(l)(d) 

photo-matching 

This is not specifically covered by 
section 263B(l)(a)-(d). However, 
sections 263B(l) is “without prejudice 
to any other method of authenticating 
the identity of that person. The taking 


DEASP's website states that "Intreo is a single point of contact for all employment and income supports. Designed to 
provide a more streamlined approach, Intreo offers practical, tailored employment services and supports for 
jobseekers and employers alike". See http://www.welfare.ie/en/Pages/lntreo home.aspx 


Page 73 of 172 










of a photograph or recording an image 
are covered under 263B(l)(c), and the 
retention of same in electronic form is 
required under section 263B(2). 


193. However it is also clear that the Minister has discretion to use means, methods or 
processes, other than SAFE 2, for the purposes of identity verification/ authentication. This 
is clear from Section 263B SWCA 2005 which states that the specified means are "without 
prejudice to any other method of authenticating the identity of that person"). 

3.2.8 DEASP's contention that the lawfulness of processing should be assessed by primary 
reference to the function under Section 263 SWCA 2005 


194. As referred to above, in summary DEASP's position is that the DPC's analysis as to whether 
there is a legal basis for the processing of personal data by DEASP in connection with the 
PSC proceeds on an incorrect basis. DEASP contends that the primary provision of the SWCA 
2005 against which the lawfulness of (i.e. the legal basis for) the processing should have 
been assessed is Section 263. DEASP relies on Section 263(1) as the relevant function 
conferred by or under an enactment for the purposes of Section 2A(l)(c)(ii) of the Acts, 
which is described by DEASP as "the main provision in play".“^ In this regard, it is DEASP's 
position that the DPC's approach in assessing the lawfulness of the processing by reference 
to whether the PSC has been issued by DEASP for the purposes of authenticating the 
identity of persons who are claiming, receiving or presenting for the payment of benefits 
versus the purposes of carrying out transactions with other specified bodies (i.e. not the 
DEASP) is flawed. DEASP states that: 

Section 263(1) SCWCA 2005 is an enactment which creates a Ministerial function 
(section 2A(l)(c)(ii) of the Acts). The function is to issue PSCs. The issue of a PSC is not 
confined to support the carrying out of transactions with DEASP only. It is explicitly 
intended to support the carrying out of transactions with all specified bodies, of which 
DEASP is one.^^^ 

195. As such, the elements of DEASP's position may be summarised as follows: 


(1) Section 263(1) is an enactment which creates a Ministerial function (within the 
meaning of Section 2A(l)(c)(ii) of the Act);^®^ 

(2) The function is to issue PSCs;“® 


DEASP's Response to the Draft Report, Section 3.1.11 at paragraph 5. 
DEASP's Response to the Draft Report, Part 1, paragraph 40. 

DEASP's Response to the Draft Report, Part One, Paragraph 40. 
DEASP's Response to the Draft Report, Part One, Paragraph 40. 
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(3) The issue of a PSC is not confined to support the carrying out of transactions with 
DEASP only; it is explicitly intended to support the carrying out of a transaction with 
all specified bodies, of which DEASP is one;“® 

(4) The Ministerial function to issue PSCs is expressly made subject to Section 263(1C), 
which provides that the Minister must be satisfied as to identity;^^° 

(5) In order for the Minister to be satisfied as to the identity of a person and to issue a 
PSC, it is necessary for the Minister to follow the steps set out in Section 263(B), 
which corresponds to SAFE 2 registration;^^^ 

(6) In order for the Minister to exercise her statutory function as set out in Section 
263(1), it is necessary for her to process personal data to authenticate identity, 
through a stipulated method which corresponds to SAFE 2 registration;^^^ and 

(7) The DPC fell into error in insisting that processing be mandatory under law^^^ in 
order to be valid when Section 2A(l)(c)(ii) of the Act simply requires processing be 
necessary for a function conferred by enactment}^"^ 


196. In addition, DEASP contends that the DPC is incorrect in that: "[T]he DPC Is focussing on 
subsequent use of the card, once Issued, which Is Irrelevant to the Issue of the function of 
the Minister, conferred under enactment, to SAFE register and Issue the PSC"}^^ DEASP 
states that "[t]he specified body can stipulate that a PSC Is required for certain transactions. 
It Is a matter for the specified body to determine whether the production of a PSC Is a 
necessary and proportionate requirement" 

3.2.9 Assessment of Section 263 SWCA 2005 against Section 2A(l)(c)(ii) of the Acts 

197. As is clear from the summary of DEASP's position above, DEASP primarily contends that the 
processing it undertakes in connection with the PSC is necessary to enable the fulfilment of 
the statutory function conferred by Section 263(1), which is the discretion to issue a PSC for 
the purpose of a transaction. 

198. The DPC has assessed the position of the DEASP in this regard in the following paragraphs. 
In doing so, the DPC considers (a) whether Section 263 creates a statutory function for DEASP 
in accordance with Section 2A(l)(c)(ii), and if so, (b) whether the processing by DEASP in 
connection with the PSC is necessary for the performance of that statutory function. 


DEASP's Response to the Draft Report, Part One, Paragraphs 40 - 43. 

DEASP's Response to the Draft Report, Part One, Paragraphs 41 - 43. 

DEASP's Response to the Draft Report, Part One, Paragraphs 41 - 43. 

DEASP's Response to the Draft Report, Part One, Paragraph 43. 

This is a reference to the previous formulation of finding 2 which appeared in the Draft Report as a provisional 
finding, in which the DPC found that there was not a legal basis under the Acts (Sections 2A(l)(c)(ii) or (iii) for DEASP 
"to conduct personal data processing by way of mandatory, centralised identity authentication of persons who are 
conducting transactions with specified bodies other than the DEASP." As will be seen from Finding 2 in this report, 
the formulation of the finding has been varied to remove the reference to "mandatory, centralised processing". 
DEASP's Response to the Draft Report, Part One, Paragraph 44. 

DEASP's Response to the Draft Report, Part 3.1.11, Paragraph 54. 

DEASP's Response to the Draft Report, Part 3.1.11, Paragraph 56. 
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3.2.10 Does Section 263 SWCA 2005 create a statutory function for DEASP? 


199. DEASP primarily contends that the processing is necessary to enable the fulfilment of the 
statutory function conferred by Section 263(1), which is the discretion of issuing a PSC for 
the purpose of a transaction. 

200. Pursuant to the Schedule, Part 1 of the Interpretation Act 2005, the term "function": 

"includes powers and duties, and references to the performance of functions include, 
with respect to powers and duties, references to the exercise of the powers and the 
carrying out of the duties". (Emphasis added). 

As such, there is no doubt but that the power conferred by Section 263(1) - which is to 
issue a PSC - can be regarded as a statutory function . 

201. Elowever it should firstly be noted that Section 263(1) itself involves a data processing 
function. The issuing of a PSC under this power by its very nature involves "collection, 
recording, organization, storage, ... use, disclosure by transmission, dissemination by 
otherwise making available" of personal data within the definition of "processing" in Section 
1 of the Acts (and Article 2b of the Directive). This is clear from Section 263(1A) SWCA 2005 
which sets out the personal data which must be inscribed on the PSC issued to a person and 
Section 263(1B) which sets out the personal data which must be contained in non-legible 
form capable of being recovered by electronic means from the PSC. Thus, the focus of the 
provision is on data processing; namely, in the conferral of the power to issue a PSC. 
Moreover, it is clear that even DEASP itself characterises Section 263(1) as involving a data 
processing function and it notes that: 

(1) Section 263(1) confers "[t]he power to issue PSCs"f^^ 

(2) "Thefunction is to Issue PSCs"f^^ 

(3) "[SJectlon 263(1) SWCA 2005, which refers to section 263(1C) SWCA 2005, confers 
the Minister with a function (i) to issue PSCs for the purposes of carrying out a 
transaction (with specified bodies) (ii) once satisfied as to the identity of a 
person"and 

(4) "In order for the Minister to perform her function and to be satisfied as to the 
identity of a person and to issue a PSC, it is necessary for the Minister to follow the 
steps set out in section 263(B) SWCA 2005".^^° 

202. Perhaps the most striking summary of DEASP's contention is as follows: 


DEASP's Response to the Draft Report, Part 3.1.5, Paragraph 2. 

DEASP's Response to the Draft Report, Part 3.1.11, Paragraph 34. 

DEASP's Response to the Draft Report, Part 3.1.11, Paragraph 36. 

DEASP's Response to the Draft Report, Part 3.1.11, Paragraph 38. 
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In summary, it Is the Department's contention that the DPCs analysis of the 
legislation is flawed and that the Minister has a statutory function in processing 
personal data for the purpose of issuing a PSC in respect of persons transacting 
with specified bodies. Section 263(1) SWCA 2005 confers a function on the 
Minister that she may issue a PSC, subject to identity authentication (section 
263(1C), for the purpose of a transaction.’'-^^ 

203. Reading Section 2A(l)(c)(ii) compatibly with Article 7(e) of the Directive which it implements 
(in accordance with the applicable principles of interpretation) it is apparent that the 
relevant statutory function for which the data processing is necessary, could not, itself, be 
a data processing function . In this regard it must be noted that Article 7(e) of the Directive 
permits processing that is: 


“necessary for the performance of a task carried out in the public interest or in the 
exercise of official authority vested in the controller or In a third party to whom the data 
are disclosed". (Emphasis added). 

It must therefore be possible to identify a "task carried out in the public interest". The "task 
carried out in the public interest" cannot itself be a data processing task . If it were 
permissible to justify processing by reference to a data processing task, that would be 
circular and self-justifying. Accordingly the DPC considers that it must be necessary to 
identify a "task carried out in the public interest" which is independent from and external 
to, a data processing task or objective. The requirement that the processing cannot be the 
end in itself but rather must be a means to an end is a central concept in data protection, 
expressed by reference to the "purposes" of the processing. Article 8(1) of the Charter, as 
noted earlier, requires that "data must be processed fairly for specified purposes " while both 
the Acts and the Directive require that personal data must be "collected for specified, 
explicit and legitimate purposes ". As such, a freestanding data processing function (issuing 
PSCs) without reference to a specified, explicit purpose which that processing function is 
intended to be in pursuit of, is inconsistent with the requirement that the purpose behind 
the processing (in this case, the task in the public interest) be identified. The DPC does not 
consider that Section 263 identifies with any specificity the purpose/ task in the public 
interest which is purportedly served by the processing operation of issuing PSCs. The 
general references to the Minister issuing a card "in such form as the Minister considers fit 
for the purposes of carrying out a transaction" (Section 263(1)), do not satisfy this 
requirement. 

204. It therefore appears to the DPC that DEASP's reliance on Section 263(1) attempts to justify 
the processing it conducts in connection with the issuing of PSCs solely by reference to a 
statutory function of data processing. Thus, in the DPC's view, the flaw with the DEASP's 
position is that it effectively seeks to justify data processing by reference to data processing. 
In this regard, the DPC considers that DEASP's interpretation arises from an excessively 


DEASP's Response to the Draft Report, Part 3.1.11, Paragraph 78. 
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narrow focus on the terms of Section 2A(l)(c)(ii) of the Acts, without having regard to the 
underlying Article 7(e) of the Directive. As noted above, the Acts must be interpreted 
compatibly with the Directive and therefore Section 2A(l)(c)(ii) must be interpreted 
compatibly with Article 7(e). Viewed from that perspective, the DPC does not consider that 
data processing can be justified by reference to a statutory data processing function. 
Therefore, in the DPC's view, Section 263(1) cannot be invoked by DEASP as a statutory 
function for the purpose of Section 2A(l)(c)(ii) to justify the processing in connection with 
the issuing of PSCs. For that reason, it is not necessary to consider the second question 
outlined above at paragraph 195 as to whether the processing is necessary for the function 
in question. 

205. For the same reasons set out above, the DPC also does not consider that this provision can 
be invoked under Section 2A(l)(c)(iii) - processing which is necessary for the performance 
of a function of the Government or a Minister of the Government. For reliance on this 
function, the processing must be necessary for a "function of a Minister" which is 
independent from and external to, a data processing task or objective. This is not the case 
with Section 263 which is in itself a data processing task of the Minister. Again, for that 
reason, it is not necessary to consider the second question outlined above at paragraph 195 
as to whether the processing is necessary for the function in question 

206. The DPC has also considered whether Section 263 may be a function which falls within the 
scope of Section 2A(l)(c)(iv) - processing which is necessary for performance of a function 
of a public nature in the public interest. The public interest may be said to be the objective 
of verifying the identity of both (a) benefits claimants and (b) persons (other than benefits 
claimants) who engage in transactions with specified bodies other than DEASP. Given that 
different legislative provisions apply to verification of identity in relation to each category 
of persons, it is necessary to carry out separate assessments as to whether Section 
2A(l)(c)(iv) provides a legal basis for the processing of benefits claimants on one hand, and 
on the other hand, persons other than benefits claimants. As regards benefits claimants. 
Section 263 must be considered in conjunction with the other relevant provisions of the 
SWCA 2005 concerning verification of identity of benefits claimants (Section 241(l)(b) and 
Section 242(4) in particular) to assess firstly, whether a public interest function exists and 
then, whether processing is necessary for that purpose. This assessment has been 
conducted at Part 3.2.12. As will be seen from Finding 1, the DPC considers that the 
combination of these sections provides a legal basis for the processing in question under 
each of Section 2A(l)(c)(ii), (iii) and (iv). Separately, in relation to persons seeking to engage 
in transactions with specified bodies, the assessment as to firstly, whether a public interest 
function exists and then, whether processing is necessary for that purpose is set out below 
at Part 3.3. As will be seen from that analysis and Finding 2, the DPC considers that the 
objective of verifying the identity of persons engaging in transactions with specified bodies 
is a function of a public nature performed in the public interest which falls within the scope 
of Section 2A(l)(c)(iv). It does not consider that processing for SAFE registration and the 
issuing of the PSC is necessary for that function. 
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207. Accordingly, the DPC finds that Section 263, considered on its own, does not provide a legal 
basis under Section 2A(l)(c)(ii), (iii) or (iv) of the Acts for processing conducted by DEASP in 
connection with SAFE registration and the issuing of PSCs. 


3.2.11 DEASP's contention that subsequent use of the card is secondary to the function to issue 
PSCs 

208. As referred to above, in relation to the question of the function performed to issue PSCs, 
DEASP also argues that the DPC is erroneously focusing on the subsequent use of the PSC. 
DEASP says this is irrelevant to the issue of the function of the Minister to SAFE register and 
issue PSCs. In this respect DEASP states that the fact that the PSC could be used by a person 
to present for benefits or for other transactions is an important but secondary issue which 
does not impact on the Minister's powers to issue PSCs^“. The DPC disagrees with this 
position. Firstly, as set out above, DEASP has adopted a unduly narrow focus to the 
requirement that a function must be identified as the starting point for reliance on a legal 
basis under Section 2A(l)(c)(ii), (iii) or (iv) of the Acts. DEASP seeks to justify the processing 
it carries out by reference to a processing function (Section 263(1)), rather than a 
standalone function. Secondly, the issue of the subsequent use of the card is, in the view of 
the DPC, central to the question of the necessity of the processing carried out by DEASP to 
SAFE register and issue the PSC. As noted at paragraph 166, the mere existence of a 
legislative provision does not provide a legal basis for processing and a controller must be 
able to demonstrate how the processing is necessary for the function in question. If there is 
no necessity to process personal data for the purposes of issuing a PSC (i.e. because there 
is no requirement on a person to produce a PSC), then there is no legal basis for that 
processing, irrespective of whether the controller considers that there is a function to issue 
PSCs set out in a legislative provision. It should be noted that different legislative provisions 
apply to the subsequent use of the PSC depending on whether it is used for claiming 
benefits orfor a transaction with a specified body other than DEASP. Therefore the question 
of whether there is a requirement to produce a PSC is considered below separately in 
relation to (a) benefits claimants (Part 3.2.12) and (b) persons seeking to engage in 
transactions with other specified bodies (not DEASP) (Part 3.3). 


3.2.12 Consideration of whether a legal basis for processing arises from Section 241 and/or Section 
242 SWCA 2005 - processing the personal data of benefits claimants 


209. Elaving concluded in Parts 3.2.9 - 3.2.10 that Section 263 does not provide a legal basis 
within the meaning of Section 2A(l)(c)(ii) of the Acts, the DPC has gone on to consider 
whether the identity authentication provisions in Section 241 and/or 242 SWCA 2005 
(which relate only to persons claiming, presenting for payment of or receiving a benefit 
from DEASP), provide such a legal basis. 


DEASP's Response to the Draft Report, Section 3.1.11 at paragraph 54. 
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210. Firstly, by way of background it is noted that DEASP applies SAFE 2 standard identity 
verification and requires the PSC for its own purposes in respect of both persons making 
claims for benefits (under section 241 SWCA 2005), and persons in receipt of payments of 
benefits (pursuant to sections 241, 242 and 247C).^®^ 

3.2.13 Verification of identity of persons making a claim for benefits 

211. Under the SWCA 2005, persons making a claim for a benefit from DEASP are required to 
satisfy the Minister as to their identity. In this regard. Section 241(1) of the SWCA 2005 
states: 

(1) It shall be a condition of any person's right to any benefit that he or she— 

(a) makes a claim for that benefit in the prescribed manner, and 

(b) satisfies the Minister as to his or her identity [Emphasis added] 

212. Section 241(1C) sets out in non-exhaustive form (see the emphasised text below), a list of 
ways in which the Minister may require a person to prove their identity for the purpose of 
making a claim for a benefit, as follows - 

(IC) For the purposes of satisfying himself or herself as to the identity of a person 
who makes a claim for benefit, the Minister may, without prejudice to any other 
method of authenticating the identity of that person, reguest that person— 

(a) to attend at an office of the Minister or such other place as the Minister may 
designate as appropriate, 

(b) to provide to the Minister, at that office or other designated place, such 
information and to produce any document to the Minister as the Minister may 
reasonably reguirefor the purposes of authenticating the identity of that person, 

(c) to allow a photograph or other record of an image of that person to be taken, at 
that office or other designated place, in electronic form, for the purposes of the 
authentication, by the Minister, at any time, of the identity of that person, and 

(d) to provide, at that office or other designated place, a sample of his or her 
signature in electronic form for the purposes of the authentication, by the Minister, 
at any time, of the identity of that person. 

(ID) The Minister shall retain in electronic form — 

(a) any photograph or other record of an image of a person taken pursuant to 
subsection (lC)(c), and 

(b) any signature provided pursuant to subsection (lC)(d), 

in such manner that allows such photograph, other record or signature to be 
reproduced by electronic means. [Emphasis added]. 


See response to Question 4 in the Comprehensive Guide "Do I have to complete the SAFE process?". 
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213. 


As appears from the above at Part 3.2.7, the criteria in this section are identical to those in 
section 263B(1) SWCA 2005. This section similarly provides that the above listed items (a) 
to (d) are "without prejudice to any other method of authenticating the identity of" a 
claimant that the Minister may use. 


3.2.14 Verification of identity of persons presenting for payment of benefits 

214. It should be noted that section 264 provides that, without prejudice to section 263 SWCA 
2005 (which provides that the Minister may issue a PSC), the Minister may issue a card other 
than a PSC for the purpose of the payment of a benefit. The current formulation of Section 
264 was inserted by section 9 of the Social Welfare and Pensions Act 2010. The Explanatory 
Memorandum accompanying this 2010 Act states "Section 9 also makes a number of 
changes to the current provisions relating to the public services card under section 263 of 
the Social Welfare Consolidation Act 2005 and the social services payment card under 
section 264, including clarifying that both the social services card and the public services 
card can be used for the purposes of paying social welfare benefits." The "social services 
payment card" referred to here is the same card which is referred to in this report as the 
"payment (Section 264) card". 

215. Section 242(4), SWCA 2005 provides that persons presenting for payment of a benefit may 
be required to satisfy the Minister as to their identity as follows - 

(4) ... a person presenting for payment of benefit on his or her own behalf shall 
satisfy the Minister, an officer of the Minister or a payment service provider, as the 
case may be, as to his or her identity by furnishing— 

(a) his or her public services card, or 

(b) a card that has been issued to the person by the Minister under section 264 and 
such other information or documentation as the Minister, an officer of the Minister 
or a payment service provider, as the case may be, may reasonably reguire for the 
purposes of authenticating the identity of that person. [Emphasis added]. 

216. Section 242(7) states that failure to comply with the above requirements may result in the 
withholding of a benefit. 

3.2.15 Verification of identity of persons receiving benefits 

217. Separately, Section 247C ('Disqualification from receipt of a benefit where identity not 
authenticated') provides that the Minister may give notice to any person receiving a benefit 
requesting the person to satisfy the Minister as to his or her identity.^®'* Failure to comply 
with such a notice, in relation to satisfying the Minister as to his or her identity, will result 


“4 Section 247C(1), SWCA 2005. 
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in disqualification from receipt of the benefit.Section 247C(3) provides that the Minister 
may, in order for the Minister to be satisfied as to his or her identity, request the person to 
whom notice is given to - 

(a) attend at an office of the Minister or such other place as the Minister may 
designate as appropriate; 

(b) provide to the Minister, at that office or other designated place, such information 
and to produce any document to the Minister as the Minister may reasonably 
reguirefor the purposes of authenticating the identity of that person; 

(c) allow a photograph or other record of an image of that person to be taken, at 
that office or other designated place, in electronic form, for the purposes of the 
authentication, by the Minister, at any time, of the identity of that person; 

(d) provide, at that office or other designated place, a sample of his or her signature 
in electronic form for the purposes of the authentication, by the Minister, at any 
time, of the identity of that person. 

(4) The Minister shall retain in electronic form — 

(a) any photograph or other record of an image of a person taken under subsection 
(3)(c), and 

(b) any signature provided under subsection (3)(d), in such manner that allows such 
photograph, other record or signature to reproduced by electronic means. 

(5) This section shall not be construed as preventing the Minister from using a 
method of authentication of the identity of a person In receipt of benefit, other than 
a method referred to in this section, which the Minister considers appropriate to 
use. 


3.2.16 Summary of provisions in relation to persons claiming, presenting for payment of or 
receiving benefits 


218. Accordingly, while the SAFE registration process is not referred to by name at all in the 
SWCA 2005,by comparing section 263B which relates to authenticating identity for the 
purposes of issuing a PSC, and section 241(1C) which relates to authenticating the identity 
of a claiming a benefit, with what is set out above in relation to authenticating the identity 
of persons in receipt of a benefit under section 247C, it is clear that the SAFE 2 registration 
requirements correspond to elements of these sections. The table at Annex 1 illustrates the 
convergences between the identity authentication means which are expressly referenced 
in section 263B, section 241(1C) and section 247C and the elements of SAFE registration as 
identified in the DEASP's Comprehensive Guide. 


185 Section 247C(2), SWCA 2005. 
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219. However it is also clear that sections 263B, 241(1C) and above 247C(2) all provide that the 

Minister has discretion to use other methods or processes, other than SAFE 2, to verify or 

authenticate the identity of a person. 

220. In summary therefore, the provisions of the SWCA 2005 provide that: 

(1) The entitlement of a person to payment of a benefit is conditional on that person 
satisfying the Minister of his/ her identity (Section 241(1)). 

(2) The Minister may satisfy himself/herself as to the identity of such a person and a non- 
exhaustive list of ways in which this may be done is provided for (Section 241(1C)). 
These requirements correspond to elements of the SAFE 2 standard of identification. 

(3) The Minister may, subject to being satisfied as to a person's identity, issue a PSC to such 
a person (Section 263(1)). (A further non-exhaustive list of the ways in which the 
Minister may satisfy himself/herself as to the identity of a person to whom a PSC is to 
be issued is set out at Section 263B(1)). These requirements correspond to elements of 
the SAFE 2 standard of identification. 

(4) Where a person presents himself/ herself for the purposes of actually receiving a 
payment under a benefit, the person is required to present either the PSC or a payment 
(Section 264) card and where the latter is presented, the person in question may also 
be required to produce other information or documentation to authenticate their 
identity (Section 242(4)). 

(5) Where a person is in receipt of a benefit, the Minister may request that person to satisfy 
the Minister of his or her identity. (Failure to satisfy the Minister of same will result in 
the person being disqualified from receiving any benefit). A non-exhaustive list of ways 
in which this may be done is provided for in section 247(3) to (5), SWCA 2005. These 
requirements correspond to elements of the SAFE 2 standard of identification. 


3.2.17 Is there a legal basis under Section 2A(l)(c)(ii) for DEASP to process personal data of benefits 
claimants? 

221. As noted above, the purpose of this section of the report has been to assess whether DEASP 
has a legal basis in accordance with Section 2A(l)(c)(ii) of the Acts (i.e. whether the 
processing is necessary for the performance of a function conferred on a person by or under 
enactment) when processing personal data for the purposes of the PSC and SAFE 
registration. The assessment in this sub-part concerns the situation where the personal data 
being processed is that of persons claiming, presenting for payment of or receiving a benefit 
from DEASP (such persons have also been referred to as benefits claimants in this report). 
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222. Pursuant to the Interpretation Act 2005, as amended, as noted above, the term "functions" 
is defined as including "powers and duties, and references to the performance of functions 
include, with respect of powers and duties, references to the exercise of the powers and 
the carrying out of the duties."^®® 

223. Section 241(l)(b) provides, as noted above, that it is a condition of a person's right to a 
benefit that the person in question must satisfy the Minister as to his or her identity. 
Accordingly, the corollary of this is that the Minister has a function, conferred by the SWCA 
2005, to be satisfied of - in other words to verify (or in the wording of the SWCA 2005 
'authenticate') - the identity of any persons claiming, presenting for payment of or receiving 
a benefit. The method by which, in practice, that identify verification occurs is the SAFE 2 
registration process and the requirements in 241(1C) which correspond generally to SAFE 
2. Furthermore, the Minister, having satisfied himself or herself of such identity, may in 
accordance with section 263(1) and 263(1C) issue a PSC. The PSC is in turn one of either of 
two methods required by Section 242(4) SWCA 2005 for a person to confirm their identity 
when presenting for payment of a benefit. 

224. The DPC therefore considers that Sections 241(l)(b) and 242(4) in combination with the 
discretionary power under Section 263(1) to issue a PSC, confer a function on the Minister of 
verifying the identity of those claiming, presenting for payment of, or receiving benefits. 
While both provisions in Section 241(l)(b) and 242(2) are expressed in terms of an obligation 
on the benefit claimant, the clear corollary is a power on the part of the Minister to demand 
proof of identity, whether by way of PSC or the payment (Section 264) card, before paying a 
benefit. The DPC therefore concludes that in this regard, there is a function conferred by an 
enactment which is not merely a form of data processing, but rather a function of verifying 
identity which must be satisfied by either PSC or a payment (Section 264) card. 

225. Flaving identified that a function conferred on a person by or under an enactment exists in 
relation to the processing carried out by DEASP in connection with the PSC and SAFE 2 
registration in respect of DEASP benefit claimants by way of Section 241(l)(b) and 242, the 
DPC has proceeded to consider in the following paragraphs whether it can be said that the 
processing concerned is " necessary " within the meaning of Section 2A(l)(c)(ii) of the Acts, 
as interpreted in accordance with the concept of necessity under EU data protection law. 

226. As noted above, under Section 242(4) two forms of identification are permitted for a person 
to confirm their identity when presenting for payment of a benefit-the PSC or the payment 
(Section 264) card. It is acknowledged that an argument could be made that technically, the 
processing by DEASP for the purposes of SAFE 2 registration and the issuing of a PSC is not 
strictly necessary as there is an alternative form of identification to the PSC, namely, the 
payment (Section 264) card (together with other information or documentation which may 
be reasonably required by the Minister to authenticate the identity of the DEASP benefit 
claimant). Flowever, given that there are only two acceptable and recognisable forms of 
identification, and the PSC is one of those two forms, having regard to EU law in relation to 


Part 2 , Schedule, Interpretation Act 2005, as amended. 
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the concept of necessity in a data protection context, the DPC considers that the processing 
for the issuing of the PSC can fairly and credibly be said to satisfy the necessity test insofar 
as the functions in Section 241(l)(b) and Section 242(4) are concerned, for the following 
reasons: 

(1) Only two forms of identification are permissible under the relevant legislative 
provision, and it is necessary to have one or other. This therefore satisfies the 
requirement that the interpretation and application of necessity be strict and 
rigorous;^®^ 

(2) The processing for the purpose of the PSC is clearly capable of achieving its objective 
of facilitating verification of identity;^®® 

(3) While it is arguable that an alternative exists in the possibility to instead seek the 
presentation by the benefit claimant of the payment (Section 264) card,^®® the DPC 
has been unable to Identify the existence of an actual card Issued by DEASP that 
corresponds to this. Therefore, in practice it appears to the DPC that the PSC is the 
only form of identification capable of satisfying the requirements arising from the 
combination of Section 241(l)(b) and Section 242(2). Accordingly this appears to the 
DPC to satisfy the requirement that there ought to be no equally effective available 
alternative;^®® 

(4) The provisions appear to the DPC to satisfy the requirement that the relevant 
provisions of national law in relation to the restrictions of the rights concerned are 
clear.^®^ 

(5) In relation to the necessity requirement that the measure be the least restrictive of 
the right,^®^ the DPC has some reservations that the requirement to present a PSC 
satisfies this branch of the necessity test at EU level. However, the DPC is prepared 
to accept in circumstances where there is the existence of a clear legislative measure 
which specifically calls for the presentation of the PSC to verify identity, the 
processing of personal data for the purposes of issuing a PSC strikes a fair and 
reasonable balance between the rights of the citizen and DEASP's need to 
establish/verify the identity of persons claiming, presenting for, or receiving benefits 
from DEASP. 


As per the CJEU in Case C-13/16, Valsts policijas RJgas, 4 May 2017. 

As per the CJEU in Case C-13/16, Valsts policijas RJgas, 4 May 2017 

The Social Welfare Payments Card (Section 264 Card) also appears to be referred to as the "Social Welfare Services 
Card". See for example, answer to Parliamentary Question 172, 20 July 2011. The PSC subsequently replaced such 
cards. See Answer to Question 2 of the Comprehensive Guide, "What are the advantages of SAFE registration?" As a 
result, while two forms of identification are permitted, the 264 Card appears to be no longer In use. 

As per the CJEU In Joined Cases C-465/00, C-138/01 and C-139/01, Osterreichischer Rundfunk, 20 May 2003. 

In accordance with the principles in: Joined cases C-203/15 and C-698/15, Tele2 Sverige AB v Post- och telestyrelsen, 
and Secretary of State for the Home Department, 21 December 2016; Case C-201/14 Smaranda Bara and Others v 
Casa Naponala de Asigurari de Sanatate and Others, 1 October 2015; and Opinion 1/15 (EU:C:2017:592). 

As per the CJEU in in Case C-13/16, Valsts policijas RJgas, 4 May 2017. 
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227. The DPC therefore concludes that the combination of Sections 263(1), 241(l)(b) and Section 
242(4) together provide a legal basis for the processing in question by DEASP (i.e. the 
processing of personal data as described at paragraphs 175 to 176) pursuant to Section 
2A(l)(c)(ii) in respect of benefits claimants. 


3.2.18 Is there also a legal basis under Section 2A(l)(c)(iii) for DEASP to process personal data of 
benefits claimants? 


228. Sections 241(l)(b) and Section 242(4) together with 263(1) are functions conferred under an 
enactment which are also functions of the Minister. Accordingly the DPC finds that for the 
same reasons as above, there is also a legal basis to be found under Section 2A(l)(c)(iii), which 
permits processing by DEASP (i.e. of personal data as described at paragraphs 175 to 176) 
which is necessary for the performance of a function of the Government ora Minister of the 
Government. 


3.2.19 Is there also a legal basis under Section 2A(l)(c)(iv) for DEASP to process personal data of 
benefits claimants? 


229. Finally the DPC has also considered whether the combination of Sections 263(1), 241(l)(b) 
and Section 242(4) together provide a legal basis for the processing in question by DEASP 
pursuant to Section 2A(l)(c)(iv) in respect of benefits claimants. This provision allows for 
processing which is necessary to the performance of any other function of a public nature 
performed in the public interest by a person. It is clear that the provisions of the SWCA 2005 
in question, as identified above, concern the purpose of identity authentication of benefits 
claimants. In this regard the DPC notes the objective of identity authentication articulated by 
DEASP^®^ in relation to Sections 261 - 274 SWCA 2005: 

"Taken as a whole these clearly provide for use of a shared public Identity information set 
for the purposes of customer transactions across the public service and for the use of a 
common public service card as a token of identity authentication whiie at the same time 
reducing administrative cost and improving customer service by minimising unnecessarily 
duplicated requests for the same core identity information". 

230. The DPC considers that it is readily apparent that there is a legitimate public interest in 
verifying the identity of those claiming, presenting for or receiving benefits and that such 
processing satisfies the requirement of necessity for the same reasons as those set out above 
at paragraph 203. Accordingly, the DPC considers that Sections 241(l)(b) and Section 242(4) 
together with Section 263(1) SWCA 2005 also constitute a legal basis for the processing in 
question by DEASP (i.e. of personal data as described at paragraphs 175 to 176) pursuant to 
Section 2A(l)(c)(iv) in respect of benefits claimants. 


DEASP's Response to the Draft Report, Section 3.1.11 at paragraph 59 and Part One, paragraph 36. 
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FINDING 1 

The Data Protection Commission finds that arising from the combination of Sections 
241(1)(b), 242(4) AND 263(1) OF THE SWCA 2005, THERE IS A LEGAL BASIS UNDER SECTION 
2A(1)(C)(||), (ill) AND (IV)OFTHE Acts FOR DEASPTO PROCESS CERTAIN PERSONAL DATA, (AS DESCRIBED 
AT PARAGRAPHS 175 TO 176) BY WAY OF SAFE 2 REGISTRATION AND THE ISSUING OF A PSC FOR THE 
PURPOSE OF AUTHENTICATING THE IDENTITY OF A PERSON CLAIMING, PRESENTING FOR OR RECEIVING A 
BENEFIT. 


3.3 Processing by DEASP of personal data of persons seeking to enter into transactions with 
specified bodies (persons who are not benefit claimants) 

231. Section 241 and 242 SWCA 2005 apply only in respect of persons claiming, presenting for 
payment of, or receiving benefits. These provisions do not therefore apply to persons who 
are not benefits claimants. As noted above, aside from the functions specific to DEASP in 
relation to the payment of benefits, the SWCA 2005 also contemplates the wider use of the 
PSC by other public bodies arising from Section 263 SWCA 2005. In this part, the DPC has 
assessed whether there is a legal basis for the processing of personal data by DEASP in 
connection with SAFE registration and the issuing of the PSC where the personal data being 
processed is not that of persons who are benefits claimants but rather that of persons who 
are seeking to carry out a transaction with another public body (not the DEASP). 

232. Firstly, it is relevant to rehearse the provisions of Section 263 which are applicable in this 
context. 

3.3.1 Consideration of Section 263 SWCA 2005 

233. As previously discussed, the general provision in the SWCA 2005 which enables the Minister 
to issue the PSC (section 263(1)), states that the PSC may be issued "for the purposes of 
carrying out a transaction". The SWCA 2005 includes, at section 262(1), a broad definition 
of a "transaction" which includes "an application, a claim, a communication, a payment, or 
a supply of a service, relating to a public function of a specified body which relates to a 
natural person". (Clearly the term "transaction" also captures the payment of a benefit to 
a person by the DEASP). In practice this means that a transaction with a public body may 
cover matters as diverse as applications for passports^^ to the provision of access to the 


See for example, Department of Foreign Affairs and Trade, Public Service Card, https://www.dfa.ie/passports- 
citizenship/top-passport-questions/public-services-card/ . 
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student grant scheme or appeals of school transport routes, the latter of which is due to be 
commenced. 

234. Section 263(3) of the SWCA 2005 states that: 

"a person shall produce his or her public services card at the request of a specified body 
for the purposes of a transaction" , [emphasis added]. 

235. The specified bodies for the purposes of sections 262 to 270 are those listed in Schedule 5 
to the SWCA 2005. The list of specified bodies listed in Schedule 5 is extensive, and includes 
all Ministers of the Government, all local authorities, all education and training boards, the 
Health Service Executive, and numerous other specified public bodies. 

236. Section 263(4) provides that it is an offence for a person other than a specified body to use 
the PSC, or to seek to have the PSC produced to him or her. (As referred to earlier, the Social 
Welfare, Pensions and Civil Registration Bill 2017, proposes, among other things, to permit 
PSC holders to produce the card only on voluntary basis for identity purposes to bodies that 
are not specified in law.) 

237. As noted above, section 263B of the SWCA 2005 provides a non-exhaustive list of methods 
by which the Minister may satisfy himself or herself as to the identity of a person in respect 
of whom a PSC or PPSN is to be issued. 

3.3.2 DEASP's position in relation to the processing of personal data of persons transacting with 
other specified bodies 

238. DEASP's position, is that there is a legal basis for processing personal data in connection 
with the issuing of PSCs by the Minister which applies regardless of whether the processing 
relates to the personal data of a person who is a benefit claimant or who is otherwise 
engaging in a transaction with a specified body (other than the DEASP). DEASP contends 
that this legal basis arises from the power to issue a PSC in Section 263(1) SCWA 2005. As 
also noted above, DEASP does not agree with the DPC's approach to separating its analysis 
as to legal basis with regard to the processing of personal data of benefits claimants versus 
persons transacting with other specified bodies. DEASP characterises this as the "false 
dichotomy" which it says the DPC has created between "client" and "non-clients" of 
DEASP.(It should be noted that in the Draft Report, the DPC referred to benefits 
claimants as "clients" of DEASP). DEASP states that it is clear that a person is entitled to 
request a PSC from it and that DEASP is entitled to issue a PSC, but if it is doing so, it must 
assure itself as to the person's identity. DEASP says that as a result it provides this service 
in respect of both people who are required to authenticate their identity to receive DEASP's 
own services and other people who present to DEASP seeking a PSC. DEASP states that it 


See the "Adoption Plan for the Public Services Card and MyGovID", which is laid out in page 12 of the Ireland 
eGovernment Strategy 2017-2020, for further details. 

DEASP's Response to the Draft Report, 3.1.11 at paragraph 29. 
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does not compel the latter group to present to it but that it is entitled to provide people 
with a PSC, and to the extent that it provides this service, it is required to do so if requested, 
subject to being satisfied as to the person's identity. 

239. Connected to this "false dichotomy" argument, DEASP further contends that to understand 
the power to issue PSCs, the position in relation to personal public service numbers (PPSNs) 
should be understood.^®® DEASP states that PPSNs (as referred to in Section 262 SWCA 
2005) are issued by the Minister in support of transactions with specified bodies and that 
the issuing of PPSNs is not limited to clients of DEASP who wish to receive benefits, although 
DEASP clients are included in the general cohort of people who are "the subject of any 
transaction with a specified body" - as referred to in Section 262(2) SWCA 2005.^®® DEASP 
emphasises that the provision which sets out the information which is to be given to the 
Minister for the purposes of allocating and issuing a PPSN (i.e. Section 262(3) SWCA 2005) 
does not create any distinction between DEASP clients or persons seeking transactions with 
other specified bodies. DEASP also notes Section 262(4) SWCA 2005 which states that: 

“A person shall give to a specified body his or her personal public service number and 
the personal public service numbers of his or her spouse, civil partner or cohabitant 
and children, where relevant, as required by the public body for the purpose of the 
person's transaction". 


240. DEASP contends that based on its analysis of the provisions in the SWCA 2005 concerning 
the issuing by the Minister of the PPSN that "all people Issued with a PPSN are "clients" of 
the Department In the sense that when requesting a PPSN they are required to satisfy the 
Minister as to their Identity. They are the subject of "any transaction with a specified body", 
therefore their requirement to so satisfy the Minister Is not contingent on a request for a 
benefit from DEASP."^°° DEASP's position is that the PSC legal provisions replicate the PPSN 
system insofar as specified bodies are concerned, because PSCs may be requested in the 
context of a transaction.^®^ 

241. In relation to the "false dichotomy" argument made by DEASP concerning the DPC's analysis 
of the legal basis for processing, the DPC does not consider that anything turns on the fact 
that the DPC has separately considered the processing in respect of benefits claimants from 
other persons who wish to engage in transactions with other public bodies. Ultimately, 
DEASP's assertion as to the legal basis for its processing rests on Section 263(1) in particular 
as to the function giving rise to the processing. DEASP maintain that this is the legal basis 
for all processing-of benefits claimants or otherwise - in connection with SAFE registration 
and the issuing of PSCs. Elowever, as made clear from the findings in this Report, the DPC 


DEASP's Response to the Draft Report, 3.1.11 at paragraphs 64 - 65. 

DEASP's Response to the Draft Report, 3.1.11 at III -The Issuing of Personal Public Service Numbers (PPSNs). 

Section 262(2) SWCA 2005 states: The Minister may, subject to subsection (2A), allocate and issue a personal public 
service number to each person who is the subject of a transaction with a specified body. The definition of a 
transaction is in turn found in Section 262(1) SWCA 2005. 

DEASP's Response to the Draft Report, 3.1.11 at paragraph 29. 

DEASP's Response to the Draft Report, 3.1.11 at paragraph 28. 
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does not consider that this provision alone satisfies the requirement for a legal basis in 
relation to DEASP's processing of personal data of either benefits claimants or other 
persons engaging in non DEASP transactions. 


3.3.3 Is there a legal basis provided by Section 263 SWCA 2006 for the purposes of Section 
2A(l](c](ii], (iii) or (iv) of the Acts in relation to persons engaging non DEASP transactions? 


242. As set out above, the DPC does not agree with DEASP's position that Section 263 provides 
a sufficient legal basis for the processing in connection with SAFE 2 registration and the 
issuing of PSCs under Section 2A(l)(c)(ii) of the Acts. This because, as previously described, 
it effectively seeks to justify data processing by reference to a statutory data processing 
function. For the same reasons, the DPC does not consider that reliance can be placed on 
Section 2A(l)(c)(iii) (processing necessary for the performance of a function of the 
Government or Minister of Government). 

243. Elowever the DPC considers, on a prima facie basis that the more appropriate legal basis for 
consideration may be Section 2A(l)(c)(iv) which allows for processing which is necessary for 
the performance of a function of a public nature performed in the public interest by a 
person. This provision has been considered above at Part 3.2.19 in the context of the 
objective of verifying the identity of benefits claimants. As acknowledged in those 
paragraphs, there is a legitimate public interest in verifying the identity of those claiming, 
receiving or presenting for benefit payments. Equally, the DPC considers that there is a 
legitimate public pursued by the processing for the purposes of the SAFE 2 registration and 
the issuing of PSCs, namely the verification of identity for the purposes of transactions with 
specified bodies. Accordingly, the DPC has proceeded in the paragraphs below to consider 
whether, having identified a potential legal basis which would capture the processing 
carried out under Section 263 to conduct SAFE 2 registration and issue PSCs, such 
processing is necessary in a legal sense for the performance of the public interest function 
of verification of identity. 

244. The DPC considers that the question of necessity of processing for this function under Section 
2A(l)(c)(iv) of the Acts is inextricably bound up with the question of whether it is necessary 
under the SWCA 2005 (or any other legislation) for a person who wishes to enter into a 
transaction with a specified body to produce a PSC as a condition of entering into a 
transaction with that specified body where the person does not already have a PSC. Therefore 
the DPC will first consider the meaning and effect of Section 263 to assess whether this 
amounts to the power of a specified body to require a person who wishes to enter into a 
transaction with it to obtain and produce a PSC as a condition to the transaction. 


3.3.4 DPC's analysis of the meaning and effect of Section 263 SWCA 2005 
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245. As set out above, in the case of benefits claimants, under Section 241(l)(b) SWCA 2005 it is 
a condition of a person's entitlement to a benefit that they must satisfy the Minister as to 
their identity. This is done by way of either production of the PSC or a payment (Section 
264) card. Accordingly the DPC considers, that there is a necessity for processing to be 
carried out by the Minister in order to verify identity (which in practice is done in 
accordance with the SAFE framework) and issue a PSC as a token of such identity 
verification. The necessity for this processing arises in part from the condition in section 
241(l)(b) SWCA 2005 which makes a person's right to receive a benefit dependent upon 
(inter alia) verification of their identity by the Minister (in other words processing of their 
personal data), combined with Section 242(4) and 263(1) SWCA 2005. 

246. Flowever, insofar as persons who are not benefits claimants are concerned, who wish to 
engage in a transaction with another specified body (not DEASP), it appears to the DPC that 
there is no (equivalent) legislative provision which necessitates the processing of such 
person's personal data by the Minister for the purposes of the Minister verifying their 
identity. In other words, there is no equivalent provision to Section 241(l)(b) SWCA 2005 
which makes it a condition of a person engaging in a transaction with a specified body that 
their identity must be verified by the DEASP (being an entirely separate body to that body 
with which the person is transacting). Flowever DEASP contend that, in relation to its 
reasoning, the DPC has overlooked the "plain meaning and significance of Section 
263(1)".^“ It points to Section 263(1C) which states that "the Minister shall not issue a public 
services card to a person unless the Minister is satisfied as to the identity of the person to 
whom such a card is to be issued". In this context DEASP says that in order for the Minister 
to perform her function and to be satisfied as to the identity of the a person and to issue a 
PSC, it is necessary for the Minister to follow the steps set out in Section 263(B) SWCA 2005 
in relation to authentication of identity^°^. DEASP contends that by carrying out the SAFE 
registration process, this is the method by which the Minister's function (i.e. in Section 263 
to (i) issue a PSC fit for the purpose of carrying out a transaction with specified bodies (ii) 
once satisfied as to the identity of a person) is performed^”'^. As regards the requirement in 
Section 2A(l)(c)(ii) of a valid legal basis that the processing in question must be necessary 
for the performance of the function in question, DEASP states that in order for the Minister 
to exercise her statutory function set out in Section 263(1), it is necessary for her to process 
personal data to authenticate identity, through a stipulated method which corresponds to 
a SAFE 2 registration (Section 263(B)). 

247. As regards the DPC's position noted above that there is no equivalent to Section 241(l)(b) 
SWCA 2005 making it a condition of a person's entitlement to transact with a specified body 
that they submit to the processing of their personal data by DEASP (for the purposes of 
SAFE 2 registration and the issuing of a PSC), DEASP does not agree with the significance 
which the DPC attributes to this. DEASP maintains that "Section 263 SWCA 2005 is a 
standalone provision which does not require a Section 241 equivalent" and that the 


DEASP's Response to the Draft Report, 3.1.11 at paragraph 30. 
DEASP's Response to the Draft Report, 3.1.11 at paragraph 38. 
DEASP's Response to the Draft Report, 3.1.11 at paragraph 39. 
DEASP's Response to the Draft Report, 3.1.11 at paragraph 43. 
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existence of Section 241 and 242 does not detract from the power of DEASP in Section 
263(1) to issue PSCs and the power in Section 263(3) of specified bodies to request them.^°® 

248. In brief, DPC does not agree with the interpretation adopted by DEASP as outlined 
immediately above. These points of interpretation are addressed collectively by the DPC in 
the sections that follow by way of the DPC's analysis and position in relation to the 
application and impact of Section 263 SWCA 2005. 


3.3.5 Does Section 263(3) SWCA 2005 create a requirement on a person to obtain a PSC if they 
do not already have one? 


249. Firstly, it is the DPC's view that the question of whether the processing by DEASP (for SAFE 
2 registration and the issuing of PSCs) for persons who are engaging in transactions, not 
with DEASP but with specified bodies, is necessary hinges on whether it is required as a 
matter of law for such persons to obtain a PSC (i.e. from DEASP). In the Draft Report, the 
DPC stated its preliminary position with regard to the interpretation of Section 263(3), 
which was that this provision did not create a mandatory requirement for a person entering 
into a transaction with a specified body (not DEASP) to obtain a PSC if they did not already 
have one. Instead, the DPC considered that this provision only creates a requirement on a 
person to produce their PSC if they already have one. DEASP disagrees with this position for 
the various reasons which are summarised and considered below. 

(1) DEASP contends that a "harmonious reading" of Section 263(1) and 263(3) SWCA 2005 
provides that the Minister can issue PSCs which may be required by, and if required 
must be produced to, specified bodies for transactions. 

(2) DEASP states that "[t]he specified body can stipulate that a PSC is required for certain 
transactions. It is a matter for the specified body to determine whether the production 
of a PSC is a necessary and proportionate requirement" 

(3) DEASP contends that Section 263(3) SWCA 2005 mirrors Section 264(4) SWCA 2005 
which applies to PPSNs (considered above).This provision states that: "A person shall 

give to a specified body his or her personal public service number [.], where relevant, 

as required by the body for the purposes of the person's transaction". DEASP points out 
that the expression "his or her" is used in this section also but that it does not 
presuppose possession in the literal sense without more and that it would be absurd if 
this meant that legally, a person is not required to produce a PPSN if they do not have 
one and that the Oireachtas cannot have intended such results. DEASP states that 


DEASP's Response to the Draft Report, 3.1.11 at paragraphs 49 and 50. 

DEASP's Response to the Draft Report, 3.1.11 at paragraphs 52 to 69. 

DEASP's Response to the Draft Report, 3.1.11 at paragraphs 55. 

DEASP's Response to the Draft Report, 3.1.11 at paragraphs 56. 
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neither could the Oireachtas have intended in Section 263(3) that only if people already 
have PSCs that they can be requested;^“ 

(4) DEASP states that "it is submitted that section 263(3) SWCA 2005 was intended to confer 
power on specified bodies to request production of a PSC"^^^; 

(5) DEASP relies upon a purposive interpretation of Section 263(3) and makes reference to 
certain public statements at national and EU leveP^^; 

(6) DEASP relies on Government statements, indicating that the PSC is to be used for access 
to all appropriate Government services^^^ and to parliamentary debates at the 
introduction of Section 263(3)^^"^. 


250. Having carefully considered all of the arguments put forward by DEASP, the DPC's position is 
that that Section 263(3) does not confer a power on a specified body to insist upon the 
production of a PSC for the purposes of a transaction with it where a person does not already 
have one. The corollary of this is that the specified body in question cannot refuse a 
transaction where the person does not have a PSC and does not obtain one. Set out below is 
the analysis and rationale, drawing from the principles of statutory interpretation discussed 
earlier, which has led the DPC to this conclusion. 


(1) First, as noted above at Part 2.3, the literal interpretation is the primary method of 
statutory interpretation. Based on this method, the use of the possessive in Section 
263(3)— " his or her public services card"—suggests that the relevant person already has 
a PSC. 

(2) There is no express provision made in Section 263(3) for a specified body to insist upon 
a PSC as the only form of identification or indeed as one of only two forms of 
identification, as is the case with benefit claimants under Section 242(4). Therefore the 
DPC does not agree with DEASP's suggestion that Section 263(3) has the effect that 
"[w]hen these bodies require them, they must be produced"^^^.Again, this derives from 
a straightforward literal interpretation of Section 263(3). 

(3) Viewing Section 263(3) in the context of the SWCA 2005 as a whole (see Section 5, 
Interpretation Act 2005 ("intention can be ascertained from the Act as whole")), there 
is no equivalent found in Section 263(3) of Section 242(4). That latter section provides 
in relevant part that, subject to subsection (5), a person presenting for payment of 
benefit on his or her own behalf "shall" satisfy the Minister, an officer of the Minister or 
a payment service provider, as the case may be, as to his or her identity by furnishing: 


DEASP's Response to the Draft Report, 3.1.11 at paragraphs 58. 
DEASP's Response to the Draft Report, 3.1.11 at paragraphs 58. 
DEASP's Response to the Draft Report, 3.1.11 at paragraphs 59 to 61. 
DEASP's Response to the Draft Report, 3.1.11 at paragraphs 66 to 68. 
DEASP's Response to the Draft Report, 3.1.11 at paragraphs 69. 
DEASP's Response to the Draft Report, 3.1.11 at paragraph 42 
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“(a) his or her public services card, or 

(b) a card that has been issued to the person by the Minister under section 264 and 
such other information or documentation as the Minister, an officer of the Minister 
or a payment service provider, as the case may be, may reasonably require for the 
purposes of authenticating the identity of that person". 


(4) Therefore, this provision (Section 242(4)) creates an obligation on the relevant person 
to use either the PSC or a payment (Section 264) card when presenting for payment of 
a benefit to DEASP. The language of Section 242 is very clear, unequivocal and precise; 
it creates a clear obligation on the person presenting for payment. However It can 
immediately be seen that Section 263(3) is drafted in very different terms. As has been 
previously noted by the DPC above and in the Draft Report (paragraph 181), in relation 
to persons who are not benefits claimants (referred to in the Draft Report as "DEASP 
clients"), there is no equivalent conditionality created within the SWCA 2005 (or to the 
DPC's knowledge, in any other legislation) under which it is a condition of a person's 
capacity to enter into a transaction with a specified body, that their identity must be 
verified with the Minister, with such identity verification resulting in the issuing by the 
Minister of a PSC.^^® 

(5) In addition to this, unlike in the context of where persons are making a claim for, 
receiving or presenting for benefits, there are no penalties prescribed under the SWCA 
2005 for failure to produce a PSC where a person is engaging in a transaction with a 
specified body. This is also critical. As set out above. Section 242(7) provides that where 
a person fails to comply with Section 242(4) or 242(6), payment of benefit may be 
withheld until such time as the identity of the person is validated. There is no equivalent 
provision in the context of Section 263, as would be expected if Section 263 had the 
interpretation DEASP suggests. 

(6) Based on the above analysis, the DPC considers that at a minimum, detailed legislative 
provisions^^^ are required stating the obligation that a person must have their identity 
verified and obtain a PSC (as a token of such verification) for production when requested, 
where a person is seeking to engage in a transaction with a specified body.^^® However, 
no such provisions are present. For Section 263(3) to have the meaning for which 
DEASP contends would potentially require the party interpreting the legislation (in 


It should also be noted in this regard that the DPC has not identified any legislation in which a PSC is expressly named 
as a mandatory requirement which must be produced in order to engage with a particular specified body. There are 
a number of references to PSCs in Statutory Instruments which allow for a PSC to be produced voluntarily as a form 
of acceptable identification, for example, S.l. No. 75/2019 - European Parliament Elections Regulations 2019, 
regulation 3(vi); S.l. No. 537/2006 - Road Traffic (Licensing of Drivers) Regulations 2006, regulation 54(l)(n) (inserted 
by S.l. No. 98/2018 - Road Traffic (Licensing of Drivers) (Amendment) Regulations 2018); S.l. No. 161/2018 - 
Commercial Vehicle Roadworthiness (Roadside Enforcement) Regulations 2018, regulation 7(4); S.l. No. 442/2014 - 
Savings Certificates (Issue 21) Rules 2014, General Terms and Conditions, para. 2.2(b). However, there is no 
compulsion to produce the PSC in those circumstances. 

As noted elsewhere in this report, the mere existence of a legislative provision does not provide a legal basis for 
processing and a controller must be able to demonstrate how the processing is necessary for the function in question. 
As noted above, the mere existence of a legislative provision does not provide a legal basis for processing and a 
controller must be able to demonstrate how the processing is necessary for the function in question. 
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accordance with the rules of statutory interpretation) to legislate and add words— 
insofar as there would have to be a consequence for failure to produce a PSC. As has 
been discussed earlier in relation to the rules of interpretation, such an approach is 
impermissible.^^® 

(7) Furthermore, reading Section 263(3) to impose an obligation on a person to 
authenticate identity to a specified body specifically through producing a PSC, also 
appears to be contrary to the requirement to interpret penal statutes strictly.The 
clear implication of DEASP's reading is that a PSC is obligatory for the purpose of a 
transaction with a specified body, when the specified body chooses to request it, and 
that such a transaction could not be implemented without the PSC. Flowever, as this 
results in a detriment to the person—insofar as the transaction cannot be effectuated — 
it appears to the DPC that Section 263(3) must be interpreted restrictively. 

(8) DEASP also appears to be relying on various other methods of statutory interpretation 
to achieve its interpretation of Section 263(3) which do not appear to be appropriate in 
light of the principles of statutory interpretation which have been discussed above. For 
example, it is suggested^^^ that "[i]n simple terms, a harmonious reading of section 263 
(1) and (3) provides that the Minister can issue PSCs which may be required by, and if 
required must be produced to, specified bodies fortransactions". Flowever, this amounts 
effectively to reading in an equivalent of Section 242(2) by virtue of a relatively vague 
reference to an "harmonious" reading, which cannot be used to override the literal and 
contextual interpretation just outlined above. 

(9) As referred to above, it is contended by DEASP:^^^ "Nor can the Oireachtas have 
intended in legislation for section 263(3) SWCA 2005 to provide that only if people 
already have PSCs can the cards be requested". Flowever, the legislative intention is to 
be derived by the plain meaning of the statutory provisions, which the DPC has 
considered above. Moreover, the DPC does not hold the view that any ambiguity or 
absurdity arises from this reading of Section 263(3) as is required to engage the need 
fora purposive interpretation of statutory provisions. 

(10) It is stated by DEASP that "it is submitted that section 263(3) SWCA 2005 was intended 
to confer power on specified bodies to request production of a PSC".^^^ Again, the 
legislative intention is to be derived from the literal interpretation of the statutory 
provisions. The DPC's view as stated above is that the production of a PSC applies only 
where a person already has one. 

(11) Reference is also made by DEASP to the context of the provisions of the Acts as a 
whole.Flowever, as noted previously, viewing Section 263(1) in the context of the 


See Part 2.3. 
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DEASP's Response to the Draft Report, 3.1.11 at paragraph 55. 

DEASP's Response to the Draft Report, 3.1.11 at paragraph 58. 

DEASP's Response to the Draft Report, 3.1.11 at paragraph 58. 

DEASP's Response to the Draft Report, 3.1.11 at paragraph 58. 
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Acts as a whole, the contrast between the application of Section 242(4) in respect of 
the situation where a person is making a claim, receiving or presenting for a benefit 
from DEASP and the absence of an equivalent provision for situations where a person 
is engaging in a transaction with a specified body is notable. 

(12) Significance is also attributed by DEASP to public statements at both national and EU 
leveP^^ for the purposes of interpreting Section 263(3) SWCA 2005. Elowever, as noted 
earlier in relation to the rules on statutory interpretation^^® such external sources are 
irrelevant in statutory interpretation. 

(13) As has already been noted, DESAP invokes a purposive interpretation to the 
interpretation of Section 263(3) SCWA 2005.^^^ However, it is apparent from Section 5 
of the Interpretation Act 2005 that such an interpretation only arises if the literal 
interpretation is absurd or ambiguous and the DPC does not consider this to be the case 
here. 

(14) Reference is also made to Government decisions.However, again these are not 
relevant sources of evidence for statutory interpretation which can be relied on to 
interpret the meaning of Section 263(3). 

(15) Finally, despite DEASP's emphasis on the statutory provisions underpinning the PPSN^^® 
which have been referred to above, the DPC does not consider these to be of assistance 
in interpreting Section 263(3) as the provisions underpinning the PPSN are in fact 
worded differently from Section 263(3). Section 262(4) provides as follows: 

"A person shall give to a specified body his or her personal public service number 
and the personal public services numbers of his or her spouse, civil partner or 
cohabitant and children, where relevant, as required by the body for the purposes 
of the person's transaction"-, 

However, it is not clear that this provision has the effect contended for by DEASP given 
that there does not appear to be an equivalent to Section 242(4) for the PPSN. In any 
event, it is noted that this provision is actually phrased in more mandatory terms than 
Section 263(3). There is a reference to the PPSN being "as required" for transactions 
with specified bodies. By contrast. Section 263(3) refers to the PSC being furnished "at 
the request ' of the specified body. 


3.3.6 DPC's conclusions in relation to the meaning and effect of section 263(3) SWCA 2005 


DEASP's Response to the Draft Report, 3.1.11 at paragraph 60. 
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DEASP's Response to the Draft Report, 3.1.11 at paragraph 61. 

DEASP's Response to the Draft Report, 3.1.11 at paragraph 67. 

229 DEASP's Response to the Draft Report, 3.1.11 at paragraphs 13 - 29 
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251. As noted above, the DPC considers that the question of necessity of processing, for the 
performance of a public interest function under Section 2A(l)(c)(iv), is inextricably bound 
up with the question of whether it is necessary under the SWCA 2005 (or any other 
legislation), for a person who wishes to enter into a transaction with a specified body, to 
produce a PSC as a condition of entering into a transaction with that specified body, where 
the person does not already have a PSC. Asset out above, the DPC has found that under the 
provisions of Section 263(3) SWCA 2005 there is no obligation for a person to obtain a PSC 
where they do not already have one, in order to complete a transaction with a specified body. 
The corollary of this is that there can be no obligation under Section 263(1) SWCA 2005 for 
DEASP to carry out processing in relation to SAFE 2 registration and the issuing of PSCs in 
respect of persons wishing to enter into transactions with a specified body which has sought 
to compel them, under Section 263(3) to produce a PSC where the person does not already 
have one. 


3.3.7 Is there a legal basis under Section 2A(l)(c)(iv) for processing by DEASP of personal data of 
persons seeking to enter into a transaction with a specified body? 


252. For completeness the final issue which remains to be addressed under this analysis is the 
concept of necessity. As referred to in Part 2.5.1, one of the core elements of the concept 
of necessity at EU law is the requirement that even where national legislation permits of 
interferences with data protection rights, there must be "clear and precise rules"^^° 
regarding the necessity for processing of the personal data in question. As referred to 
earlier, pursuant to Article 52(1) of the Charter, any limitations on Charter rights must be 
"provided for by law". As also noted elsewhere in this report, it is the DPC's view that in 
order to legitimise the wide scale processing function sought to be performed by DEASP as 
the sole administrator of SAFE 2 registrations in the State, there should be, at a minimum, 
sufficiently detailed provisions providing for the obligation for a person to have their 
identity verified by DEASP and obtain a PSC as a token of such verification, where a specified 
body requests a PSC from a person forthe purposes of that person engaging in a transaction 
with that body. Given the DPC's findings above in relation to the meaning and effect of 
Section 263(3), it is readily apparent that this provision, taken alone or in conjunction with 
Section 263(1), does not provide for any interferences with data protection rights at all, 
whether arising from clear and precise rules or otherwise. Accordingly, given that no 
legislative provision is engaged under Section 263 SWCA 2005 which requires a person to 
submit to the processing of their personal data in the first place, it cannot be said that the 
core requirement for clear and precise rules governing such processing, under the principle 
of necessity, is satisfied. In circumstances where this central element of necessity is not 
present, the DPC considers that it is unnecessary to proceed to assess the other elements 
of necessity. 


™ CJEU, Joined cases C-203/15 and C-698/15, Tele2 Sverige AB v Post- och telestyrelsen, and Secretary of State for the 
Home Department, 21 December 2016 
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253. Accordingly the DPC finds that it cannot credibly and sustainably be said that processing by 
DEASP is necessary under Section 2A(l)(c)(iv) of the Acts by reference to Section 263(1), for 
SAFE 2 registration and issuing PSCs to persons who are being compelled by a specified 
body to produce a PSC under the auspices of Section 263(3) SWCA 2005. 


FINDING 2 

In the coNTE)a of whether there is a legal basis for the processing of personal data 

CARRIED OUT BY DEASP IN RESPECT OF PERSONS ENGAGING IN A TRANSACTION WITH A SPECIFIED 
BODY OTHER THAN DEASP (THE "SPECIFIED BODY"), T HE DPC'S CONCLUSIONS ARE AS FOLLOWS. 

(A) IN RELATION TO THE EFFECT AND MEANING OF SECTION 263(3) OF THE SWCA 2005: 

(1) Section 263(3) does not confer a power on the specified body to insist upon 

PRODUCTION OF A PSC FOR THE PURPOSE OF A TRANSACTION WITH IT WHERE A PERSON 
DOES NOT ALREADY HAVE A PSC; 

(2) UNDER THE SWCA 2005 THERE IS NO LEGAL REQUIREMENT ON A PERSON SEEKING TO 
ENGAGE IN A TRANSACTION WITH THE SPECIFIED BODY TO SUBMIT TO HAVING THEIR 
PERSONAL DATA PROCESSED BY DEASP FOR THE PURPOSES OF SAFE 2 REGISTRATION AND 
THE ISSUING OF A PSC; 

(3) The specified body cannot refuse to engage in a transaction with a person who 

DOES NOT HAVE A PSC AND WHO DOES NOT OBTAIN ONE. 

(B) Based ON THE FINDINGS AT Paragraph (A) ABOVE, the DPC is not satisfied thatthere 
IS LEGAL BASIS UNDER Section 263 SWCA 2005 or otherwise undertheSWCA 2005, 
FOR THE PURPOSES OF SECTION 2A(l)(c)(ll), (ill) OR (iV) OF THE ACTS, OR OTHERWISE 

underthe Acts, for processing carried out by DEASP for SAFE 2 registration and 

THE ISSUING OF PSCS IN CIRCUMSTANCES WHERE THE SPECIFIED BODY HAS SOUGHT TO 
COMPELTHE PRODUCTION OF A PSC, BY A PERSON WHO DOES NOT ALREADY HAVE ONE, FOR 
THE PURPOSES OF A TRANSACTION WITH THE SPECIFIED BODY. ACCORDINGLY, IN THE 
CIRCUMSTANCES OF SUCH PROCESSING, THE DPC CONSIDERS THAT DEASP IS IN 
CONTRAVENTION OF ITS OBLIGATION UNDER SECTION 2A(1) OF THE ACTS. 
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3.4 Consideration of DEASP's position regarding extensions to the use of the PSC 

254. In its Draft Report, the DPC observed^^^ that it appeared that, rather than extending the 
requirement for SAFE 2 identity authentication, as evidenced by the issue of a PSC, by 
the express provisions of the SWCA 2005 or indeed any other legislation, the extension 
of the SAFE 2 and PSC identity verification scheme to transactions with specified bodies 
(i.e not the DEASP) has purportedly been effected by way of Government Decisions and 
DEASP practices. The DPC pointed to the 2013 Government Decision, discussed above, 
as summarised in Annex B to the eGovernment Strategy 2017-2020, which states that 
the PSC is a "standard identity verification scheme, which is to be used for access to all 
public services where appropriate". The DPC also observed in its Draft Report that this 
Decision has the effect of making the PSC a mandatory token of SAFE 2 registration for 
certain (and ultimately according to the stated policy decision, all public services, 
including services not provided by DEASP. 

255. The DPC also commented in its Draft Report that the Government Decision of 2013 is 
reflected in practice by the fact that no other public body conducts SAFE 2 
authentication and the Minister alone is responsible for issuing the PSC as a token of 
such authentication. DEASP's response to Question 13 in the Comprehensive Guide 
("What Government entities can conduct safe registration?") confirms that although 
certain specified bodies could conduct SAFE 2 authentication, "the Department of 
Employment Affairs and Social Protection is the sole body in the State that currently 
provides SAFE 2 registration " (emphasis added). In this regard, the DPC notes that in its 
submissions on the Draft Report, DEASP essentially accepts that its SAFE registration 
process has become the de facto identity verification system in the State through the 
following statement: 

"DEASP was the first Department/public service, because of its scale and the range 
of services that it provides (Including PPSN registrations), to establish a SAFE process 
and offers customers the PSC as a token that they have been authenticated to SAFE 
standards. Rather than reguiring other public service providers to establish their 
own separate SAFE processes the Government sponsored section 263(3) SWCA to 
enable providers to rely, via the PSC, on the identity verification system operated by 
DESAP. This minimises duplication of effort and cost, and simplifies and streamlines 
customer service and is in accord with EU Malmo and Talinn Declarations and in 
particular the principles of "once only" and "interoperability by default. 

This does not mean that other specified bodies are confined to using DEASP's 
identity authentication service only. They are entitled, and can if they choose to do 
so, establish their own SAFE process, although for cost, customer service and data 
security reasons they are discouraged from doing so . However, the freedom of other 


At paragraph 183, Part 3.1.8. 
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bodies to choose shows that they use of the terminology "mandatory" In terms of 
the processing carried out by DEASP is inappropriate."^^^ (Emphasis added 


256. The DPC is not aware of the measures taken by each specified body to assess and 
determine the appropriateness or otherwise of requiring an individual to be SAFE 2 
registered or to produce a PSC. The response to Question 32 of the Comprehensive 
Guide ("What is the legal basis for requiring SAFE 2 registration across public services?") 
appears to imply that such an assessment would be carried out. It states: 

The legal basis for public bodies reguiring SAEE 2 identity verification in the provision 
of their services is dependent on the nature of the legal, regulatory or administrative 
basis on which the service is being provided and the legal, regulatory or 
administrative procedures being operated in the provision of that service, i.e., it 
differs depending on the service and will be set out in the explanatory material for 
that service where SAEE 2 identity verification is reguiredf^^ 


257. Flowever irrespective of whether other public bodies may choose to adopt their own 
version of SAFE registration, the DPC considers that the primary issue here is the fact 
that DEASP is the only such authority carrying out SAFE registration. The processing 
carried out by DEASP falls to be analysed (in terms of compliance with the Acts) by 
reference to what is actually happening in practice and not what the other possibilities 
are for alternative identity verification by other public bodies. 

258. With regard to its processing of personal data for SAFE registration in connection with 
specified body transactions, DEASP strenuously rejects the suggestion that SAFE 
registration was extended by non-legislative means and/or DEASP practices and insists 
that "there is specific legislation underpinning for SAFE registration and the issuing of a 
PSC to support transactions with specified bodies"^^"^ (i.e. Section 263(1) and 263(3) 
SWCA 2005). Flowever, as per Finding 2 in this report, the DPC is not satisfied that these 
provisions (or any other provisions under the SWCA 2005) provide a legal basis under 
Section 2A(l)(c)(ii), (iii) or (iv) of the Acts for processing carried out by DEASP for SAFE 
2 registration and the issuing of a PSC in circumstances where a specified body has 
sought to compel the production of a PSC by a person who does not already have one, 
for the purposes of a transaction with that specified body. 

259. DEASP further alleges that the "DPC appears to undermine the importance of 
Government Decisions with regard to SAFE registration and the PSC project", stating that 
the 2004 Government Decision (29 June 2004) commenced the SAFE project, with a 
further decision of July 2005 approving in principle the use of the PSC for all existing 
card based schemes and new schemes over time, while the 2013 Government Decision 
"confirmed that the PSC was to be used to access all appropriate Government 


DEASP's Response to the Draft Report, 3.1.11 at paragraphs 62 and 63. 

Department of Employment Affairs and Social Protection, Comprehensive Guide to Safe Registration and the Public 
Services Card, October 2017. 

DEASP's Response to the Draft Report, Part 3.1.11 at paragraph 68. 
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services" DEASP states that these Government decision are important in that "they 
provide a useful historical background on the Governmental policy explaining how the 
broaderfunction of the Minister in Section 263(1) and 263(3) comes to be found in social 
welfare legislation"f^^ 

260. With regard to the DEASP comments that DPC appears to be undermining the 
government decisions in question, DPC does not accept this criticism. The focus of the 
DPC's analysis in this report is to assess whether there is, inter alia, a legal basis under 
the Acts for the processing which is being carried out by DEASP in connection with 
specified body transactions, which the DPC has found there is not. While the DPC notes 
the comments in the Comprehensive Guide and DEASP submissions that other bodies 
may choose to implement their own version of SAFE registration, the fact is that they 
have not. In the circumstances, the DPC considers that DEASP, in effect performs the 
role of sole administrative authority for the implementation of SAFE 2 identity 
authentication In the State and indeed operates as the only entity in the State which 
can issue the PSC as a token of SAFE registration. 

261. The DPC considers that in order to legitimise (in accordance with the principle of 
necessity under ED law) the wide-scale data processing function sought to be performed 
by DEASP as the sole administrator of SAFE 2 registration in the State, there should be, 
at a minimum, sufficiently detailed provisions'^® expressly providing for the obligation 
that a person must, in effect have their identity verified by DEASP and obtain a PSC (as a 
token of such verification) for production when a specified body requests a PSC, where a 
person is seeking to engage in a transaction with a particular specified body. The current 
regime, as set out in Section 263 SWCA 2005, does not satisfy such requirements. 

3.5 Legal basis for processing of personal data for the purpose of inviting an individual to 
complete SAFE 2 registration by postal means 

262. DEASP indicated in the Comprehensive Guide^®®that, in some cases, it contacted individuals 
who had partially verified their identity to SAFE 2 standard with another specified body, in 
order to invite those individuals to supply DEASP with such additional information as 
required to authenticate their identity to SAFE 2 standard, and receive a PSC.^"^°Compliance 


DEASP's Response to the Draft Report, Part 3.1.11 at paragraph 66. 

DEASP's Response to the Draft Report, Part 3.1.11 at paragraph 68. 

DEASP's Comprehensive Guide, answer to Question 13, "What Government entities can conduct SAEE Registration? 
As noted elsewhere in this report, the mere existence of a legislative provision does not provide a legal basis for 
processing; a controller must be able to demonstrate how the processing is necessary for the function in question by 
reference to the principles set out in Part 2. 

Question 7 of the Comprehensive Guide ("How do people register to SAFE 2 standard?"). 

This process meant that following a transaction with another specified body (e.g. the Road Safety Authority (RSA), 
the DEASP received updated public service identity (PSI) information following receipt of such information, DEASP 
contacted the person and asked that person whether they wished to be SAEE 2 registered and issued with a PSC. The 
DEASP state (in DEASP's Response to the Draft Report Part 3.1.14, paragraph 3): 

"For example, as regards RSA, the following sequence of events typically occurred: 

• Since October 2013, all applications for a driving licence have included an in-person interview where a 
photograph is taken of the applicant and their identity is authenticated to the satisfaction of the RSA. 

• This authentication process involved an update of some elements of PSI data during the transaction. 
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with this alternative SAFE 2 registration process was optional on the part of the individual 
contacted. DEASP state that this process commenced in May 2017 and was discontinued in 
November 2017.^^^ 

263. In order to conduct the postal SAFE 2 registration process, DEASP carried out a number of 
processing operations which were distinct from the normal SAFE 2 registration process 
discussed elsewhere in this report. In particular, DEASP processed personal data in order to 
identify eligible persons who had partially verified their identity to SAFE 2 standard with 
other specified bodies. DEASP also processed personal data by writing to these individuals 
to request the additional information necessary to complete SAFE 2 identity verification. 
These specific processing operations are addressed in this part of the report. 

264. Flaving noted the existence of the postal registration process, the DPC requested 
information from DEASP on its legal basis for this processing under section 2A of the Acts.^^^ 
The DPC's queries in this regard were not concerned with the legal basis for processing 
where an individual opted to provide information to DEASP in order to complete SAFE 2 
registration, but rather with the processing which involved identifying and corresponding 
with those individuals to invite them to complete SAFE 2 registration. 

265. In its response, DEASP indicated that it relied on four legal bases under section 2A of the 
Acts for the processing in question: 

(1) processing was necessary for the performance of a function conferred on a 
person by or under an enactment, pursuant to section 2A(l)(c)(ii) of the Acts, 

(2) the data subject had given their consent to the processing in question, pursuant 
to section 2A(l)(a) of the Acts, 

(3) processing was necessary for the performance of a function of a public nature 
performed in the public interest by a person pursuant to section 2A(l)(c)(iv), 
and 

(4) processing was necessary for the purposes of the legitimate interests of DEASP 
and citizens of Ireland pursuant to section 2A(l)(d) of the Acts. 

These are examined in the following paragraphs. 


• DEASP requested from the RSA the elements of the PSI data it had collected via the driving licence application 
process. DEASP subsequently wrote to individuals who had renewed their driving licence since March 2014 and 
invited them to register for a PSC. 

• The process was completed only with the person concerned consenting to the use of the photograph taken 
during their transaction with the RSA, being used and answering some additional security questions. 

• The information that was transferred securely to DEASP was as follows: Holder id, PPSN, Surname, Firstname, 
Date Of Birth, Sex, Birth Surname, Mother's Birth Surname, Household address. Household County, Birth 
Country, Photo Capture Date and Photograph." 

DEASP's Response to the Draft Report, Section 3.1.14, Part 2, paragraph 1. 

The DPC's Request for further Information was as follows: "The Data Protection Commission requests additional 
information from DEASP regarding its legal basis under section 2A of the Acts (and any further legislative provision, 
whether in the SWCA 2005 or otherwise giving effect to that legal basis) for processing personal data for the purpose 
of identifying individuals and inviting them to complete SAFE 2 registration on a voluntary basis." 
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Section 2A(l)(c)(ii): Performance of a function conferred on a person by or under an enactment 


266. DEASP contends that 

the processing of personal data involved in the voluntary SAFE 2 registration and issuing 
of the PSC falls under section 2A(l)(c)(ii) of the DPA, which permits such processing for 
the performance of a function conferred on a person by or under an enactment!' It 
states that section 263(1) SWCA 2005 “provides that the Minister has a function to issue 
PSCs for the purpose of a transaction'. This term includes possible future transactions 
with specified bodies.^'^^ 

Accordingly, DEASP contends that section 263(1) of the SWCA 2005 creates a function on 
the part of the Minister with regard to the issue of the PSC for the purpose of a transaction, 
and further states that the term "for the purpose of a transaction" in this context includes 
the processing to identify and invite individuals who are not SAFE 2 registered, and who are 
not transacting with DEASP or a specified body, to complete SAFE 2 registration. 

267. The DPC has already set out its position, that Section 263 does not provide a sufficient legal 
basis for the purposes of section 2A(l)(c)(ii) for processing in connection with SAFE 2 
registration and the issuing of PSCs. This finding applies equally with regard to DEASP's 
above contention that the processing in question was necessary for the performance of a 
function conferred on the Minister under the SWCA 2005. Elowever the DPC has also 
considered, for completeness, whether section 263(1) SWCA 2005 can be regarded as 
providing a lawful basis for processing for the purpose of the postal registration process, 
taking into account the terms used in that Section. 

268. As has been outlined previously in this report, case law of the CJEU^'^^ indicates that 
limitations in relation to the protection of personal data apply only to the extent that they 
are strictly necessary. Bearing this strict construction in mind, and having had regard to the 
plain meaning of the term "for the purpose of carrying out a transaction" as used in Section 
263(1) of the SWCA 2005, the DPC is satisfied that a "transaction" must relate to a specific 
transaction, which requires the intended/ imminent use of the PSC, rather than the 
possibility of any potential future transaction(s).^^® The DPC further notes that this 
interpretation of the term "transaction" accords with DEASP's position on issuing a PPSN; 
DEASP will only issue a PPSN to an individual moving to Ireland if the applicant can 
demonstrate the number is "required fora transaction with a specified body".As a result, 
the DPC is satisfied that DEASP cannot rely on Section 263(1) as a legal basis for processing 
under section 2A(l)(c)(ii) of the Acts. 


DEASP's Response to the Draft Report, Section 3.1.14, Part 2, paragraph 9. 

DEASP's Response to the Draft Report, Section 3.1.14, Part 2, paragraph 9. 

See further Part 2 of this report. 

The DPC also notes that the DEASP did not provide any reasons as to why they consider a "transaction" to include 
possible future transactions. 

Department of Employment Affairs and Social Protection, "Personal Public Services Number", available here 
http://www.welfare.ie/en/Pages/PPSN.aspx . 
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Section 2A(l)(a): Consent of the data subject to processing 


269. DEASP also states that section 2A(l)(a) of the Acts provided it with a lawful basis for 

carrying out such processing.The Department contends that this optional form of SAFE 
2 registration was conducted on the basis of the data subject's consent. In particular, 
DEASP states that the form to be returned to complete SAFE 2 registration under this 
process contained a box for the applicant to tick, to indicate their "consent" to DEASP's 
use of their data to "update...records" DEASP submits that pursuant to section 263(1), 

the SWCA 2005 "confers a function on the Minister that she may Issue a PSC, subject to 
Identity authentication and for the purpose of a transaction" The Department states 
that, 

the only difference between Inviting Individuals to be SAFE registered In this way Is the 
trigger. Ordinarily the trigger Is that a specified body regulres a PSC for a transaction, 
which results In the Individual reguestIng It from DEASP and the Minister providing It If 
satisfied as to Identity. With the voluntary process, the Individual has provided some 
parts of the Identity jigsaw and Is Invited by DEASP to provide the rest and to provide 
their consent to be SAFE 2 reglstered.^^^ 

270. Elowever, DEASP's submissions with regard to consent do not fully address the lawful basis 
for the significant processing operations which were carried prior to the involvement of 
the individuals concerned. Irrespective of whether an individual elected to provide their 
consent to SAFE 2 registration on foot of the letter from DEASP, the individual clearly did 
not provide their valid consent to DEASP's prior obtaining and processing of their personal 
data to identify eligible persons, and to send the letter of invitation. Accordingly, DEASP 
cannot rely on data subject consent as a legal basis for processing under section 2A of the 
Acts for its postal registration invitation process i.e. those operations carried out to identify 
and contact eligible individuals for SAFE 2 registration, by obtaining information from third 
parties. 

Section 2A(l)(c)(lv): processing Is necessary for the performance of a function of a public 
nature performed In the public Interest 


271. The Department also contends that they have a lawful basis under section 2A(l)(c)(iv) 
which provides that processing may be lawful where it is 'necessary for the performance 
of any other function of a public nature performed In the public Interest by a person'. 
The DEASP states 


Section 2A(l)(a) of the Acts provides for the processing of personal data to be lawful where a data subject has 'given 
his or her consent to the processing'. 

DEASP's Response to the Draft Report, Section 3.1.14, paragraph 13. 

DEASP's Response to the Draft Report, Section 3.1.14, paragraph 14. 

DEASP's Response to the Draft Report, Section 3.1.14, paragraph 14. 
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It is...in the public interest that the DEASP seeks to ensure that the identity of persons 
using public services is authenticated in order that public monies and resources are 
correctly allocated to the correct citizen. 

Til. Notwithstanding the general public interest in proper identification of clients of public 
services, the DPC is satisfied that this public interest is not engaged, for the purposes of 
section 2A(l)(c) in circumstances where there is no anticipated transaction between an 
individual and DEASP. 

Section 2A(l)(d): the legitimate interests of the data controller 


273. The Department also states that it could rely on section 2A(l)(d) of the Acts for the 
processing in question, on the basis that "it is in the legitimate interest of both the 
DEASP and the citizen that they are SAEE 2 registered in order to protect against identity 
fraud and to assist in easy access to public services in the future". The CJ EU, in the Rigas 
Police Case/^^ identified three conditions that must be met by a controller before 
processing can be considered necessary for the purposes of the legitimate interests of 
a data controller. Firstly, there must be a legitimate interest justifying the processing; 
secondly, the processing of the personal data must be necessary for the realisation of 
the legitimate interest, and finally that interest must prevail over the rights and 
interests of the data subject. 

274. In its submission to this office, DEASP stated that the processing in question was for the 
purpose of the legitimate interests of DEASP and citizens in accessing services and 
combating fraud. Elowever, DEASP has not conducted a balancing exercise to weigh the 
impact on the fundamental rights and freedoms of affected persons against the 
interests pursued by DEASP. This balancing test is at the core of any data controller's 
reliance on this legal basis. In those circumstances, the DPC does not consider that 
DEASP has demonstrated how it may rely on this legal basis for the processing in 
question. 

DPC position on the postal SAEE 2 registration process 


275. For the reasons set out above (and by way of observation only) the DPC is not satisfied 
that DEASP has demonstrated that it had a legal basis under Section 2A of the Acts to 
process the personal data it holds in the context of the PSI dataset for the purposes of 
identifying and inviting individuals who had direct contact with another specified body 
(but not with the DEASP) to complete SAFE 2 registration in order to be issued with a 
PSC. The DPC notes that DEASP has discontinued this practice at the time of this report. 


DEASP's Response to the Draft Report, Section 3.1.14, Part 2, paragraph 12. 
CJEU, Case C 13/16, Valsts poHcijas RJgas, 4 May 2017. 
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3.6 Data Retention 


3.6.1 Retention of data collected for SAFE 2 registration 

276. In this section, the DPC has examined the retention of information and documentation 
which is collected by DEASP for the purposes of conducting SAFE 2 registration, in order to 
assess whether DESAP is in compliance with the obligation under Section 2(l)(c)(iv) as 
discussed below. This is one of the principles which relates to lawfulness of processing 
under the Acts. 

Data protection principles on data retention 


111. Personal data sought and kept by data controllers should be sufficient to enable them to 
achieve their specified purposes and no more. Data controllers have no basis for collecting 
or keeping personal data that they do not need, "just-in-case" a use is found for it at a future 
date. Section 2(l)(c)(iii) of the Acts requires that personal data kept shall be adequate, 
relevant and not excessive in relation to the purposes for which it was collected while 
Section 2(l)(c)(iv) of the Acts requires that personal data is not kept for longer than is 
necessary for the purpose for which it was collected. 

S1/1/C4 200S provisions relating to retention of personal data 


278. As discussed above, section 263B(1) of the SWCA 2005 permits the collection of certain 
information for the purpose of issuing of a PSC "without prejudice to any other method of 
authenticating the identity of that person." Two specific types of information are stipulated, 
namely a photograph (or record of an image) of the person, and a sample of the person's 
signature in electronic form.^^'^ The other information that may be collected under this 
section is not specified but described in general terms as "information and .... any document 
... [as] may reasonably [be] require[d] for the purposes of authenticating the identity of that 
person". 

279. Section 263B(2) of the SWCA 2005^^^ sets out a legislative basis for DEASP to retain the 
photograph and sample signature furnished under Section 263B(1) (i.e. as part of the PSC 
registration process) in electronic form and in such a manner that allows them to be 


Section 263B(1) allows for the Minister "for the purpose of satisfying himself as to the identity of a person... in respect 
of whom a public services card is to be issued under Section 263.... (c) to allow a photograph or other record of an 
image of that person to be taken... in electronic form, for the purpose of the authentication , by the Minister, at any 
time of the identity of that person.." (emphasis added). Further, Section 263B(2) states that the Minister "shall retain 
in electronic form - (a) any photograph or other record of an image of a person taken pursuant to subsection 1(c).. 
in such manner that allows such photograph... to be reproduced by electronic means" (emphasis added). 

"The Minister shall retain in electronic form - (a) any photograph or other record of an image of a person taken 
pursuant to subsection 1(c), and (b) any signature provided pursuant to subsection 1(d) in such manner that allows 
such photograph, record or signature to be reproduced by electronic means". 
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reproduced.(There is no time limit applied in this provision to the retention of such 
photographs and signatures.) However, as detailed below, there is no equivalent provision 
providing for the retention of the other information or documents which have been 
required to be produced under section 263B(1) for the purposes of authenticating identity. 


3.6.2 Data collected and retained by DEASP 

280. Data gathered by the DEASP during the SAFE 2 registration process and "personalised" onto 
the PSC is wide ranging. SAFE 2 registration requires data subjects to present verifiable 
documentation including their name, date of birth, nationality, phone number, address, 
gender, a facial photograph and signature. These documents are used within the SAFE 2 
interview to verify identity, and copies or scans are taken and retained.Such required 
supporting documentation includes passports, birth certificates and utility bills.The data 
used to underpin the PSC, in particular the national identity documents used to verify 
nationality, are scanned at high resolution. According to the information contained in the 
Comprehensive Guide, persons undergoing SAFE registration are required to provide the 
following supporting documentation which differ depending on a person's nationality and 
circumstances:^^® 


Irish citizens born in the 

Republic of Ireland 

Current Irish passport, current Irish or UK driving licence or 
Irish learner driver permit. 

If adopted, an adoption certificate. 

Irish citizens via 

naturalisation or 

Foreign Birth 

Registration 

Current Irish passport or Certificate of Naturalisation or 
Foreign Birth Registration certificate and Irish or UK driving 
licence or Irish learner driver permit. 

Irish citizens born in 

Northern Ireland and 

UK citizens 

Current passport, or birth or adoption certificate and current 
driving licence. 

EU citizens 

Current passport or national identity card. 

Non-EU nationals 

Current passport or 1951 (Geneva Convention) travel 

document. 


Evidence of address (any of the following documents): 


DEASP has confirmed that in relation to the renewal of a PSC it retains all photographs which are captured on the 
DEASP's system and on the facial matching database (the CEIMSj.The issue of facial matching will be addressed in a 
further separate report by the DPC, as set out in Part 1. 

Comprehensive Guide to Safe Registration and the Public Services Card, see Question 18 ("What is the Public Service 
Identity set?") 

Department of Employment Affairs and Social Protection, Comprehensive Guide to Safe Registration and the Pubiic 
Services Card, see responses to Questions 7 ("How do people register to SAFE 2 standard?"), 8 ("What do I have to 
bring to my SAFE registration appointment?") and 18 ("What is the Public Service Identity set?") 

Comprehensive Guide to Safe Registration and the Public Services Card, see answer to question 8, "What do I have 
to bring to my SAEE registration appointment?" 
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• A household utility bill, 

• An official letter/document, 

• A financial statement, 

• Property lease or tenancy agreement, 

• Confirmation of address by a third party such as a school principal/administrator, 
accommodation/property owner or manager. 

Additional documents to confirm identity which can include any or all of the following: 

• Irish Free Travel Pass, 

• Medical card issued under the General Medical Service, 

• European health insurance card, 

• Credit/debit card, 

• Other forms of ID, 

• Student card. 

281. A PSC card that issues on completion of SAFE 2 registration is valid for up to seven years. 

At renewal, a new photograph is used to update the card. DEASP has confirmed that the 
old photograph and arithmetic template is retained on the "Department's system" and on 
the facial matching database, even when a new photographic image is updated on the PSC. 
Further, information verified during the SAFE 2 registration process may need to be 
updated if a person's circumstances change (e.g. name upon marriage, address etc.).^®^ 

DEASP'sdata retention practices 

282. DEASP has confirmed that evidence which is adduced to establish and prove identity and 
the underpinning documentation is kept for the lifetime of the customer/ data subject. 

It states that the identity documents presented as evidence as part of a SAFE 2 registration 
and any subsequent updates are retained indefinitely to "provide continued support for a 
person's identity verification".^®® DEASP maintains that the PSC, as a token of the SAFE 2 
registration process, 

"..cannot be divorced from the underlying supporting documentation which is essential 
for proving its validity. This is a matter which may be at issue in any case involving 
suspected identity fraud. Thus, the underlying documentation must be retained to 
establish and authenticate a person's identity. 


See answer to Question 6 ("How long is the public services card valid for?") in the Comprehensive Guide. 

The answer to Question 23("How frequently will an individual be required to update their data for SAFE? E.g. 
Photograph?") in the Comprehensive Guide. 

DEASP's Response to the Draft Report, section 3.2.2 at paragraph 8. 

in reply to Question 5 of the DPC's investigation, ("How are verifications made of date of birth and nationality? What 
copies/scans are made of supplied documents during this verification and for how long are these retained?"), in 
DEASP's Data Retention Policy - Guidelines and Procedures, it provides that data held for an "indefinite period" is 
"data held for at least the lifetime of the data subject". 

DEASP's Response to the Draft Report, section 3.2.2 at paragraph 4. 
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283. There are 3 reasons given by DEASP as to why such personal data is retained indefinitely by 

DEASP:2®5 

(1) To provide continued support for a person's identity in the context of enabling the 
prosecution of cases under both social welfare and criminal justice legislation; 

(2) To provide continued support for a person's identity in the context of enabling 
decisions on payments and entitlements during a customer's lifetime including 
pension entitlements as well as appeals under the social welfare system; and 

(3) To ensure necessary governance and audit control of SAFE registration 
transactions undertaken. 


3.6.3 Consideration of DEASP's justification for retention of information collected for SAFE 2 


(1) Continuing support for identity to enobie prosecutions ^^^ 

284. DEASP maintains that a crucial reason for the retention of original documentation 
underpinning SAFE 2 registration is to enable any future prosecution for fraud or other 
criminal activity. DEASP states that "the original documentation or retained certified copies 
are central to proving the constituent elements of a fraud involving identity . Accordingly the 
documents are necessary to carry out that prosecutorial function"d^^ [DEASP's emphasis] It 
stipulates that given the nature of fraudulent activity, fraud could take place any time in the 
future following the SAFE 2 registration process.^®® Consequently, it is necessary to keep such 
documentation for the lifetime of the data subject. DEASP categorically states that it cannot 
be rigorous in ensuring that fraud is prosecuted unless source documents are retained for 
the lifetime of the customer.^®® 

285. As to how the documentation retained by DEASP is used for such prosecutions, DEASP 
asserts that where a false identity fraud takes place, all documents submitted by the people 
concerned are absolutely crucial to obtaining a prosecution.^^® DEASP states that it is 
irrelevant that a document may have "gone out of date since presenting; the key fact is that 
the person presented that document at the time of SAFE registration"}^^ DEASP further links 
the retention of information by it to preparation of the book of evidence in the context of 
prosecutions on indictment, which it say happens in virtually all such cases. DEASP states 
that the book of evidence for such cases "usually includes" a PPSN application (or copy of it), 
copies of the photograph taken at SAFE registration, copies of the signature captured at SAFE 
registration, copies of any identity documents produced by the person when being SAFE 
registered, and copies of the evidence of address provided by the person during SAFE 


DEASP's Response to the Draft Report, section 3.2.2 at paragraph 5. 
DEASP's Response to the Draft Report, section 3.2.2 at paragraphs 1 to 17. 
DEASP's Response to the Draft Report,section 3.2.2 at paragraph 7. 
DEASP's Response to the Draft Report, section 3.2.2 at paragraph 8. 

DEASP's Response to the Draft Report, section 3.2.2 at paragraph 14. 

DEASP's Response to the Draft Report, section 3.2.2 at paragraph 6. 

DEASP's Response to the Draft Report, section 3.2.2 at paragraph 10. 
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registration.In this regard, DEASP states that "the mere fact of SAFE 2 registration, or the 
token which is the PSC, is insufficient"/^^ 

286. Byway of support for its position, DEASP refers to a case study from its Special Investigations 
Unit.^^"^ That case study recounts how the photograph of an applicant for SAFE registration 
was matched to another person (who had already applied for SAFE registration) using the 
CFIMS (DEASP's facial matching system). Additionally an address from the utility bill retained 
from the earlier applicant was the same address as that stated in a letter (from the earlier 
applicant confirming the residence of the later applicant). While the case study states that 
"the fact that the former utility bill scanned in under Identity A's record was still on record 
when the CFIMS match occurred meant it could be submitted as part of the evidence for 
SIU",^^^ the DPC does not understand how the retention of the utility bill helped to secure a 
prosecution in that case or was essential to the prosecution case. The DPC does not consider 
the fact that one piece of information here (the utility bill from the earlier applicant) was 
submitted as part of the evidence, is sufficiently strong demonstration of the efficacy, and 
linked to the that, the necessity of retaining all such information (for all PSC applicants) 
indefinitely in aid of prosecutions. 

287. In its submissions concerning how enabling prosecutions is a justification for retention of 
underlying identity documentation collection during SAFE registration, DEASP also points to 
other case studies which it has separately provided (in the context of responding to a 
request for further information from the DPC concerning the incidence of identity fraud and 
the legal basis for photo-matching).^^® Elowever those four case studies all appear to the 
DPC to demonstrate DEASP's reliance on the CFIMS in identifying identity fraud rather than 
demonstrating the need/justification for retaining underlying supporting documentation 
provided during SAFE 2 registration as necessary to prosecution activities. 

Consideration of DEASP's submissions in relation to fraud and social welfare schemes 

288. As referred to in the paragraph above, a request for information was made to DEASP in the 
Draft Report in relation to, inter alia, statistical information from DEASP that illustrated 
confirmed cases of identity fraud as a proportion of overall fraud levels compared to other 
key forms of fraudulent activity.While DEASP's responses in this regard related in the main 
to use of facial recognition software, that being the context in which the DPC posed the 


DEASP's Response to the Draft Report, section 3.2.2 at paragraph 12. 

DEASP's Response to the Draft Report, section 3.2.2., paragraph 12. 

DEASP's Response to the Draft Report, section 3.2.2 at paragraph 9. 

DEASP's Response to the Draft Report, section 3.2.2 at paragraph 9. 

In its response to the Request for Further Information 2 (from the Draft Report) 

The DPC's Request for further Information 2 was as follows: "The Data Protection Commission requests statistical 
information from DEASP that illustrates confirmed cases of identity fraud as a proportion of overall fraud levels as 
compared to other key forms of fraudulent activity such as shadow economic activity, concurrent working and 
claiming, non-habitual residence and undeclared income. The Data Protection Commission further reguests that 
DEASP clarify the specific legal basis under Section 2A of the Acts (and any further legislative provision, whether in the 
SWCA 2005 or otherwise giving effect to that legal basis), upon which it relies upon to carry out the processing of 
biometric data by way of photo matching for the purposes of SAFE 2 registration." 
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requests for information^^* the DPC considers that it is also relevant to consider this 
information in the context of DEASP's position concerning the retention of SAFE registration 
documentation, given that DEASP has sought to justify this practice, amongst other grounds, 
by reference to enabling prosecutions for fraud . 

289. Based on DEASP's response to the request for information,^^® the DPC notes that for 2017 
(the last full year for which such data was available at the time of DEASP's response), the 
total value of DEASP overpayments where fraud was detected was €38.4 million arising from 
a total of 10,467 cases.The DPC further notes that identity fraud was not one of the top 
5 categories of fraud-related overpayment for any of the years of 2016, 2017 and 2018 (to 
end October 2018), those being the 3 years for which such statistical information was 
provided.DEASP also provided the DPC with statistical information for suspected identity 
fraud through the initial application of the CFIMS for the period from 1 January 2018 to end 
October 2018. DEASP state that there were 202 cases of which; 30 were as yet not 
concluded; 21 were cleared with no issues (DEASP referred to "twins, same names" or "no 
match [...] proved"); 103 were subject to ongoing investigation; 4 cases relations to 
individuals who have left the state and whose whereabouts are not known; 15 where 
investigation files had been sent to the DPP for consideration and/or admissions had been 
made; and 35 which had been the subject of legal cases, now concluded.In relation to the 
latter category, DEASP stated that the associated overpayment was assessed to amount to 
€1.74 million.^** (The total expenditure of the social welfare schemes which DEASP had 
responsibility for in 2018 was €20 billion).Furthermore, the DEASP informed the DPC that 
the value of identity fraud detected in 2017 (solely for the application of the CFIMS was 
€894,000 (approximately 2.3% of all detected fraud overpayments recorded in 2017).^** The 
equivalent value for 2016 was €1.734 million (approximately 4.2% of all detected fraud 
overpayments recorded in 2016).^*® 

290. The DPC accepts DEASP's position that "These sums are not insignificant". The DPC also 
acknowledges the importance, as emphasised by DEASP, in measures to prevent and detect 
identity fraud and in the deterrent effect of a "robust identity gateway". 

291. Elowever the DPC notes that no evidence (save for the case study considered above at 
paragraph 286 has been proffered by DEASP as to how the indefinite retention of 
underpinning identity verification documents collected during the SAFE 2 registration 
process is necessary to either identifying the suspected identity fraud in the first place 
(noting the DEASP's emphasis in this regard appears to be on the use of the CFIMS) or to 


DEASP's Response to the Draft Report Section 3.1.13 of the Draft Report - "Legal basis for photo matching for the 
purpose of SAFE 2 registration" 

DEASP's Response to the Draft Report, section 3.1.13, Table 2.1. 

DEASP's Response to the Draft Report, sections.1.13, Table 2.1. 

DEASP's Response to the Draft Report, sections.1.13, Table 2.2. 

Response to the Request for further information 2 (from the Draft Report), paragraph 7 
DEASP's Response to the Draft Report, sections.1.13, at paragraph 7. 

DEASP's Response to the Draft Report, sections.1.13, at paragraph 12. 

DEASP's Response to the Draft Report, sections.1.13, at paragraph 8. 

DEASP's Response to the Draft Report, sections.1.13, at paragraph 8. 

in its response to the Request for Further information 2 (from the Draft Report) - paragraph 26 
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pursuing/securing prosecutions of such forms of fraud. Bearing in mind that Section 263B(2) 
SWCA 2005 allows for the retention of photographs and signatures in electronic format 
(discussed below), the DPC does not consider that there has been sufficient demonstration 
by DEASP as to how/why not retaining the other information and documentation collected 
during the SAFE 2 registration process would prevent or prejudice the detection, 
prevention, deterrence or indeed the prosecution (this being a central plank for DEASP 
justifying such retention) of fraud. As such, the DPC does not consider that DEASP's 
statement that "The Department has been rigorous in ensuring that fraud is duly prosecuted. 
This cannot be done unless source documents are retained for the lifetime of the customer" 
[emphasis added].is borne out by its submissions or evidence. Nor does the DPC consider 
that DEASP has sufficiently demonstrated how and why, as DEASP has emphasised, " the 
original documentation or retained certified copies are central to proving the constituent 
elements of a fraud involving identity " [DEASP's emphasls].^^^ 

Case law referred to by DEASP 

292. In connection with DEASP's prosecutions-related justification for the indefinite retention of 
such information and documentation, it relies on the CJEU judgment in Joined Cases 
C-203/15 and C-698/15 Tele2 Sverige at the following paragraph: 

that Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 
52(1) of the Charter, must be interpreted as precluding national legislation which, for 
the purpose of fighting crime, provides for the general and indiscriminate retention of 
all traffic and location data of all subscribers and registered users relating to all means 
of electronic communication. 

293. DEASP states that here the CJEU did not suggest that all such data retention was invalid but 
that the issue was with "general and indiscriminate retention".DEASP further seeks to 
differentiate its own retention of the information collected during the SAFE registration 
process, claiming that: 

[t]he data retained in this instance is specific data underpinning identity authentication. 
It is the personal data of those persons engaging in transactions with public bodies and 
such data is necessary to ensure that no Identity fraud is perpetrated against the social 
welfare system, or other specified bodies, and that public monies are paid to the correct 
person. It is not indiscriminate retention; it is specific to identity and the process of 
identity authentication and to specific customers seeking to engage with public services. 
The extraction of the personal data from that documentation and retention of same is 
necessitated as the underpinning documentation validates the data extracted. 


DEASP's Response to the Draft Report, section 3.2.2, paragraph 14. 
DEASP's Response to the Draft Report, section 3.2.2, paragraph 7. 
DEASP's Response to the Draft Report, section 3.2.2 at paragraph 16. 
DEASP's Response to the Draft Report, section 3.2.2 at paragraph 17. 
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294. However the DPC considers that DEASP has misapplied the rationale from Tele2 Sverige 
insofar as DEASP considers that its retention of personal data arising from the SAFE 
registration process is not indiscriminate retention. DEASP has confused the purpose to 
which it attributes such retention (i.e. the underpinning of identity authentication which it 
says is specific ) with the requirement from Tele2 Sverige that retention should not cover in 
a generalised manner all users without differentiation, limitation or exception according to 
the objective pursued.The DPC considers that it is not possible to describe DEASP's 
retention policy as anything other than indiscriminate and general. DEASP has not 
illustrated how it is necessary and proportionate, in accordance with the Charter and EU 
case law, to keep all SAFE 2 category data on file for all registered individuals on an indefinite 
(i.e. lifetime) basis. The DPC notes that some of the documentation requested to verify a 
data subject's identity is of a highly sensitive and/or personal nature (such as an adoption 
certificate or a 1951 (Geneva Convention) travel document). Further, the DPC is not 
satisfied that the DEASP has adequately explained why it is necessary to retain outdated 
material in order to enable the prosecution fraud cases. For example, DEASP has not 
demonstrated how it is relevant and not excessive to retain an outdated student card, a 
European health insurance card, or passport or driving licence, perhaps decades after it has 
expired - on the basis that it provides "continued support"^^ for an individual's identity 
verification in a process that took place years previously, particularly when the PSC is 
updated every seven years, along with a new photograph. The DPC also points out that 
DEASP is required to ensure, pursuant to section 2(l)(b) of the Acts, that data processed is 
required to be accurate, [complete], and, where necessary, kept up to date. 

295. The DPC also notes that the DEASP states that an individual's dataset cannot be deleted, 
and an individual cannot exercise their right to erasure in relation to the information 
collected during the SAFE registration.^®^ It has no disposal policy for the underlying 
documentation, however sensitive (such an adoption certificate) or intrusive (arithmetic 
template), even in instances where an individual ceases to be a customer of the DEASP, 
decides to permanently emigrate,^®® or undergoes SAFE 2 registration in order to access a 
service provided by another specified body. Instead, DEASP operates a general and 
indiscriminate retention policy whereby all data is retained indefinitely on a so-called "just- 
in-case" basis to guard against the possibility that an individual is involved in identity fraud 
into the future. 

296. The indefinite and blanket retention by DEASP of all underlying documentation and 
information submitted during the SAFE 2 registration process for the purported purposes 
of pursuing prosecutions in relation to fraud applies to all persons who apply for the PSC 
and therefore undergo the SAFE 2 registration process. This indefinite and blanket retention 
significantly applies regardless of whether there is any evidence to suggest that a person is 
involved in fraudulent activity against DEASP or another public body. Instead DEASP seeks 


Joined Cases C-203/15 and C-698/15 Tele2 Sverige at paragraph 105. 

DEASP's Response to the Draft Report Section 3.2.2 at paragraph 5 

See answer to Question 28 ("If I leave Ireland and emigrate permanently can I request my SAFE registration to be 
cancelled and deleted (I.e. exercise a Right to be Eorgotten?") of the Comprehensive Guide. 

See for example, answer to Question 28 ("If I leave Ireland and emigrate permanently can I request my SAEE 
registration to be cancelled and deleted (i.e. exercise a Right to be Eorgotten?") of the Comprehensive Guide. 
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to apply a blanket capture of all personal data submitted for the lifetime of the person in 
question without exception or limitation and without any objective criteria linking the 
retention measure with the objective pursued. The disproportionate nature of this 
retention measure is not compliant with the principle of proportionality^®® set out in Article 
52 of the Charter of Fundamental Rights of the EU. This principle "restricts authorities in the 
exercise of their powers by requiring a balance to be struck between the means used and 
the intended aim" or result reached.In accordance with the CJEU's settled case law, the 
principle also requires that the protection of the fundamental right to respect for private 
life "requires that derogations from and limitations on the protection of personal data 
should apply only in so far as is strictly necessary" Equally, in relation to the Charter 
principle of necessity, also found in Article 52, the DPC considers that, in line with the case 
law of the CJEU, DEASP's blanket retention exceeds the requirements of what is strictly 
necessary for a preventative measure. Rather, as per the principles enunciated by the CJEU 
in Tele2 Sverige the DEASP must apply clear and precise rules governing the scope and 
application of the retention measure and in particular indicating in what circumstances and 
under which conditions retention, as a preventative measure, will be adopted, so that such 
retention measures are limited to what is strictly necessary in accordance with EU law. 

297. For all of the above reasons, the DPC does not accept that the indefinite and blanket 
retention by DEASP of all underpinning identity authentication material collected during the 
SAFE 2 registration process is necessary and proportionate to the stated objective of such 
retention providing continued support for a person's identity in order to enable 
prosecutions under social welfare and criminal justice legislation. Accordingly the DPC does 
not consider that such retention for these purported purposes is in compliance with the 
requirements in Section 2(l)(c)(iv) of the Acts. 

(2) Enabling decisions on payments and entitlements during a customer's lifetime^^^ 

298. As noted above, the second reason proffered by DEASP for the indefinite and blanket 
retention of underpinning documents gathered during the SAFE registration process is that 
appeals and revisions to decisions on social welfare claims and appeals can be done at any 
time under the relevant legislation. This, DEASP says, gives rise to the requirement for 
retention of such documents for the exercise of such functions and powers. 

299. In support of this contention, DEASP states that "identity verification is an integral part of 
deciding a claim for an entitlement, establishing and maintaining a social insurance record 


The principle of proportionality requires that the proposed measure is "appropriate for attaining the objective 
pursued and does not go beyond what is necessary to achieve it".^®^ CJEU, Joined Cases C-92/09 and C-93/09, Volker 
und Markus Schecke GbR and Hartmut Eifert v Land Hessen, 9 November 2010, para 74. 

K. Lenaerts, P. Van Nuffel, European Union Law, Sweet and Maxwell, 3rd edition, London, 2011, p. 141, see also 
CJEU, Case Case C-283/11, Sky Osterreich, 22 January 2013, para 50; and Case C-101/12, Schaible v. Land Baden- 
Wurttemberg, 17October 2013,para 29. 

CJEU, Joined cases C-203/15 and C-698/15, Tele2 Sverige AB v Post- och telestyrelsen, and Secretary of State for the 
Home Department, 21 December 2016, para 96. 

DEASP's Response to the Draft Report, Section 3.2.2 at paragraphs 18 to 26. 

DEASP's Response to the Draft Report, Section 3.2.2 at i.b. 
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and for receiving payments, some of which can last decades, for example a pension" 
DEASP goes on to State that in order for the Minister to administer social welfare in the 
State, this requires the retention of personal data which has been collected in the process 
of SAFE registration and the issuing of the PSC.^“ DEASP adds that as identity and the basis 
pursuant to which it has been established are relevant for future claims or entitlements, 
retention of supporting documents supplied during SAFE registration provides security for 
the individual concerned (evidence of how their identity was established) as well as security 
for the officer that carried out the identity authentication process.DEASP also points to 
provisions of the SWCA 2005^°^ which essentially allow for a decision of a DEASP officer to 
revise a decision. For example, DEASP notes that under Section 301 SWCA 2005, a deciding 
officer has discretion to revise their own or another officer's decision "at any time", in light 
of new evidence/ facts, a mistake in relation to evidence/ facts or where there has since 
been a change in the circumstances.DEASP also notes the discretion of the Chief Appeals 
Officer to accept a late appeal against any aspect of a decision relating to a claim. According 
to DEASP, "[tjhis in effect facilitates that virtually any Deciding Officer/ Designated Person 
(DO/PO) decision can be revised at any future stage" DEASP in support of its position that 
decisions of DEASP officers in this regard can be revisited at any time, also references an 
[unnamed] Eligh Court judgment from 2013 delivered by Hogan 

300. The DPC understands that the core argument made by DEASP in this context is that because 
decisions on social welfare claims and entitlements essentially remain capable of being 
revisited into the future that documents relating to the identity verification aspect of a 
decision on a claim entitlement, need to be retained so that they can be consulted again in 
such circumstances. However the DPC also notes that DEASP has actually stated that in 
relation to appeals: 

" [i]n the main, appeals relate to a rate of payment however, there are circumstances 
where a full review would have to take place which would involve checking identity 
information. For example where a mix-up with PRSI contributions occurred between 
family members (who have the same name or similar names) the identity 
documentation would provide part of the review/ appeal process", [emphasis added]^°^ 

301. Therefore, by DEASP's own admission, most appeals do not relate to decisions concerning 
identity verification. DEASP has provided no statistical evidence to support a position that 
the incidence of re-opening decisions on social welfare claims and entitlements on the basis 
of questions around identity is such that would justify the indefinite blanket retention of 
underlying identity verification documentation collected during SAFE registration. In any 
event, it appears to the DPC that in cases of the example given above by DEASP (mix-up due 


DEASP's Response to the Draft Report, Section 3.2.2 at paragraph 18. 

DEASP's Response to the Draft Report, Section 3.2.2 at paragraph 19. 

DEASP's Response to the Draft Report, Section 3.2.2 at paragraph 20. 

3“ Sections 301, 317 and 318 SWCA 2005. 

DEASP's Response to the Draft Report, Section 3.2.2 at paragraph 21. 

3°^ DEASP's Response to the Draft Report, section 3.2.2 at paragraph 22 

3'’3 DEASP's Response to the Draft Report, section 3.2.2 at paragraphs 24-25. 

3''3 DEASP's Response to the Draft Report, section 3.2.2 at paragraph 23. 
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to similar names within a family) that the PSI dataset (which holds information on date of 
birth and PPSN amongst other information) combined with DEASP's retention of a 
photograph would provide a sufficient means by which to resolve issues of the type referred 
to. In addition, the DPC notes that information required to SAFE 2 register is to satisfy the 
Minister (in accordance with Section 263(1C) SWCA 2005) as to the individual's identity. It 
is not collected to provide for the possibility for a deciding officer, at any point during the 
individual's lifetime, to consult SAFE 2 registration documentation as part of a review of a 
decision to provide a benefit. Further, the DPC notes that this is not listed as a processing 
purpose either in the SWCA 2005, the Comprehensive Guide or in the DEASP's privacy 
policy. Finally, in circumstances where persons availing of a DEASP service are required to 
update their PSC every seven years, whereby the photograph and the PSI dataset are 
updated^™ this provides an opportunity to review any potential questions around identity 
of the person concerned. This is in addition to the power of the Minister under Section 
247C(1) SWCA 2005 to give notice to any person receiving a benefit requesting them to 
satisfy the Minister as to their identity. 

302. For all of the reasons outlined above, the DPC considers that it is excessive and unnecessary 
to retain on file all original SAFE registration documentation for a person indefinitely for the 
purposes of enabling decisions on payments and entitlements during a customer's lifetime. 
Accordingly the DPC does not consider that such retention for these purported purposes is 
in compliance with the requirements Section 2(l)(c)(iv) of the Acts. 

(3) Ensuring necessary governance and audit controi of SAFE registration 

tronsactions^^° 

303. DEASP contends that this justification for the retention in question arises from the 
requirement that the Minister must be satisfied as to identity. DEASP says that "for this to 
occur to a meaningful standard it is necessary for good governance, guality and audit 
control that the Department retains the underlying documentation supporting the issuing of 
the PSC'd^^ In this regard, DEASP states that the documentation is required to ensure that 
DEASP is engaging and complying with the appropriate procedures for SAFE registration. 
For internal audit purposes the documents are assigned to the registering officer who dealt 
with the case and this allows for comprehensive compliance testing. 

304. The DPC understand that the core element of this justification is the rationale that for 
DEASP to be able to carry out audits and ensure that individual DEASP officers are properly 
complying with the SAFE registration requirements, all documentation handled by each 
officer in the course of SAFE registering a person must be retained.The DPC does not 
agree with this position. Audit control measure can be devised to ensure adherence to 
internal procedures without the necessity to maintain all documentation indefinitely. The 


Response to Question 23 ("How frequently will an individual be required to update their data for SAFE? E.g. 
Photograph?") of the Comprehensive Guide. 

DEASP's Response to the Draft Report, section 3.2.2 at paragraphs 27 to 30. 

DEASP's S Response to the Draft Report, section 3.2.2 at paragraphs 27. 

DEASP's Response to the Draft Report, section 3.2.2 at paragraphs 29. 

DEASP's Response to the Draft Report, section 3.2.2. paragraphs 27 -28. 
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DPC considers that it is entirely disproportionate to the objective to retain all 
documentation submitted by every single person who has ever applied for a PSC (as of 19 
February 2019 3.2 million people had SAFE registered to obtain a PSC^^^) for the entirety of 
their lifetime as a means of ensuring that DEASP officers are properly performing their job 
functions. While it is not for the DPC to devise or suggest measures by which DEASP could 
otherwise ensure effective adherence to the SAFE registration procedures, alternatives 
such as proper training and refresher training of staff, adequate supervision and 
contemporaneous auditing while the registration process is still underway may represent 
alternatives to blanket, indefinite retention, by which DEASP can satisfy itself that the SAFE 
registration process is being properly implemented by its staff. As such, the DPC does not 
consider that this purpose for retention is necessary, or proportionate to the objective 
pursued. Accordingly the DPC does not consider that retention for this purposes is in 
compliance with the requirements in Section 2(l)(c)(iv) of the Acts. 

General comment on DEASP's justifications for retention 

305. The arguments for indefinite, blanket retention of the underpinning SAFE registration 
documentation, made by DEASP raise a further matter of concern for the DPC. There 
appears to be an implication in these arguments that SAFE registration may not, in practice, 
be as secure and effective a method of identity verification as has been contended,or as 
the system is intended to provide for. The DPC is surprised by the following statement that 
"The process of satisfying the Minister as to identity is not necessarily complete once the card 
issues", ^^^[emphasis added] given that under Section 263(1C) SWCA 2005, the Minister 
"shall not issue a public services card to a person unless the Minister is satisfied as to the 
identity of the person". Flowever it appears to the DPC that underlying the justifications of 
DEASP for retention at points (2) and (3) above is the implication that persons could be SAFE 
registered when they should not have been so registered despite SAFE 2 registration 
representing verification of identity to "a substantial level of assurance"^^^(as opposed to 
SAFE 1 registration which is verification "on the balance of probabilities"). In this regard, 
and as referred to above, it is noted that DEASP has relied on the need to retain SAFE 2 
registration documents so that it can revisit a decision on identity verification related to a 
decision on a claim or entitlement to a benefit. DEASP has also relied on the need to retain 
SAFE 2 registration documents for the purposes of auditing compliance by DEASP officers 
with the registration process. 

306. The whole point of having citizens submit to a rigorous identity verification system which 
involves extensive processing of personal data is to serve the public interest (as discussed 
earlier in this report) in having a level of assurance that persons who avail of State services 


See Dail debates on the Public Services Card, 19 February 2019 

See for example DEASP's comments at its response (paragraph 28) to Request for Further Information 2 (from the 
Draft Report) that "The PSC offers significant protections against welfare fraud using a robust identity registration 
process involving documentary evidence, background database checks, face-to-face engagement with a person, and 
the use of facial image software". 

DEASP's Response to the Draft Report, section 3.2.2. paragraph 4. 

Department of Social and Family Affairs, Social Welfare Consolidation Act 2005 Explanatory Guide, 
http://www.welfare.ie/en/downloads/swcact exp 05.pdf 
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and claim State benefits are who they say they are. The purpose of the DPC's investigation 
in this regard has not been to assess the standards of efficacy served by the SAFE 2 
registration system or identify the levels of incorrect or inappropriate SAFE 2 registrations. 
Accordingly, the DPC does not make any findings in this regard. Flowever, by way of general 
comment, the DPC wishes it to be noted that if such a system is not functioning with a high 
level of efficacy and accuracy, arguably the public interest objective is not being served. 
Equally, in such circumstances the interference with persons' rights to the protection of 
their fundamental rights and freedoms to privacy and protection of their personal data is 
not necessary or proportionate. 


FINDINGS 

THE DATA PROTECTION COMMISSION FINDS THAT THE BLANKET, INDEFINITE RETENTION 
OF PERSONAL DATA CONSISTING OF DOCUMENTS AND INFORMATION (OTHER THAN THE 
APPLICANT'S PHOTOGRAPH AND SIGNATURE) WHICH ARE ORIGINALLY COLLECTED FOR 
THE PURPOSES OF IDENTITY AUTHENTICATION IN THE CONTEXT OF SAFE 2 REGISTRATION 
IS IN CONTRAVENTION OF DEASP'S OBLIGATIONS UNDER SECTION 2(l)(c)(iv) OF THE ACTS. 
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PART FOUR 


TRANSPARENCY 
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4.1 Transparency requirements under the Acts 


307. Part 4 of this report addresses DEASP's compliance with the transparency obligations under 
section 2D of the Acts, including the obligation to provide information to data subjects prior 
to processing or transferring personal data. The obligations addressed in this section are 
standalone data protection obligations, which must be met in addition to the requirement 
of a legal basis under section 2A (see Part 3 in this regard). 

308. Section 2(l)(a) of the Acts, which implements Article 6 of the Data Protection Directive, 
requires that personal data must be obtained and processed fairly. Section 2D of the Acts 
(implementing Articles 10 and 11 of the Data Protection Directive) clarifies how the fairness 
principle should be met. It provides that, in order for processing to be considered fair, 
certain specified information must be provided (or made readily available) to the data 
subject in advance of any processing or transfer of their personal data. At a minimum, 
DEASP is obliged under Section 2D(2) of the Acts to provide information to data subjects 
on: 

• the identity of the data controller, 

• the identity of any representative appointed by the controller for the purposes of 
the Acts, 

• the intended purposes for which personal data will be processed, and 

• any other information, which is necessary having regard to the specific 
circumstances in which data are, or are to be, processed, to enable processing in 
respect of the data to be fair to the data subject, including information on the 
possible consequences of failing to provide personal data, information on recipients 
of the data and information on the data subject rights of access and rectification. 

309. In assessing DEASP's provision of information to data subjects concerning the processing of 
personal data in the context of SAFE 2 registration and the PSC, the DPC has had regard to 
the full extent of information provided by DEASP to date. Notwithstanding this, it is a source 
of concern that much of the information provided by DEASP in this context post-dates the 
implementation of SAFE 2 and the PSC in practice, and the commencement of this 
Investigation. For example, DEASP states that an information leaflet for clients is available 
at SAFE registration offices: however, this leaflet was not produced until November 2018, 
i.e. seven years after the commencement of the SAFE registration process.While the 
transparency requirements of the GDPR may account for some of DEASP's updated 
information resources, it is nevertheless clear that DEASP has not provided information in 
a manner which is consistent with the Acts (for the reasons outlined below). As will be seen 
from the following analysis and findings, DEASP has provided information in a disjointed and 
incremental manner. In certain respects, which are outlined below, DEASP has failed to 
provide information which is necessary to enable processing to be fair. 


DEASP's Response to the Draft Report, Response to Transparency Findings 4 to 8, paragraph 22. 
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310. As a precursor to its substantive responses to the provisional findings on transparency made 
by the DPC in the Draft Report, DEASP made a number of general observations in relation 
to the DPC's treatment of the principles on transparency which the DPC considers it 
appropriate to address upfront before turning to specific issues concerning the application 
of the transparency obligations to DEASP. 

311. Firstly, DEASP contends that "transparency was not present as a concept under Directive 
95/46/EC nor under the Acts"/^^ DEASP alleges that the "stricter requirements of the GPDR 
regarding transparency and privacy notices appear to have been used [by the DPC] as 
benchmarks to analyse [DEASP's] actions"^^° while at the same time asserting that DEASP is 
currently GDPR compliant. The DPC refutes the assertion that transparency was not a 
principle of EU data protection law pre-GDPR. While transparency is not explicitly 
mentioned as a standalone principle in Article 6 of the Data Protection Directive, it is a core 
component of the requirement of fair processing, as provided by Articles 6(l)(a), 10 and 11 
of the Data Protection Directive. In this regard recital 38 of the Data Protection Directive 
states: 

"if the processing of data is to be fair, the data subject must be in a position to learn of 
the existence of a processing operation and, where data are collected from him, must 
be given accurate and full information, bearing in mind the circumstances of the 
collection. 

312. The CJEU has also stressed the importance of transparency under the Data Protection 
Directive. For example, in Smaranda Bara and Others v Presedintele Casei Nationale de 
Asigurdri de Sdndtate and Others^^^ the Court stated that: 

"[t]he requirement to inform the data subjects about the processing of their personal 
data is all the more Important since It affects the exercise by the data subjects of their 
right of access to, and right to rectify, the data being processed [...] and their right to 
object to the processing of those data 

313. Secondly , DEASP contends that Section 2D "does not necessarily require that the data 
subject Is Individually given the processing Information which Is detailed at section 2(D)(2). 
It Is sufficient If the person has this 'made readily available to him or her'. The obligation Is 
to make It available 'so far as practicable'. [...] The final sub-paragraph (d) stipulates any 
other Information to enable the processing of the data 'to be fair to the data subject'. This 
is a flexible test which requires consideration of the specific circumstances of the processing 
operation. (emphasis added) 


DEASP's Response to the Draft Report - Response to Transparency Findings 4 - 8 at paragraph 4. 

DEASP's Response to the Draft Report - Response to Transparency Findings 4 - 8 at paragraph 4. 

While recitals are not binding, it casts a light on the drafter's intention on how a legislative provision should be 
interpreted. 

322 CJEU, Case C-201/14 Smaranda Bara and Others v Casa Nationala de Asigurdri de Sdndtate and Others, 1 October 
2015. 

CJEU, Case C-201/14, Smaranda Bara and Others v Casa Nafionala de Asigurari de Sanatate and Others, 1 October 
2015, para 33. 

DEASP's Response to the Draft Report, Response to Transparency Findings 4 - 8 at paragraph 6. 
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314. 


The rationale behind the requirements in Section 2D of the Acts is to ensure that clear and 
appropriate information is provided to data subjects so that they are in a position to 
understand what is happening to their personal data and how to exercise their rights.The 
term "so far as practicable" means that something is "able to be done" or "put into practice 
successfully".^^® This places an onus on the controller to ensure that the relevant 
information is provided to the data subject unless it is not possible to do so. 

315. The Smaranda Bara case referred to above is relevant in this context. In that case, the 
Romanian tax authority transferred certain personal data of self-employed persons to the 
national health insurance fund, without providing the data subjects with prior information 
on processing, as required under data protection law. In applying the equivalent provisions 
to section 2D of the Acts, the CJEU held that data protection law precludes the transfer and 
processing of personal data between two public administrative bodies without the persons 
concerned having been informed in advance. Similarly, in Deutsche Post AG v Hauptzollamt 
Kdin, the CJEU held that; 

the requirement that processing of personal data be fair, laid down in Article 6 of 
Directive 95/46 or In Article 5 of Regulation 2016/679, entails an obligation to inform 
the data subjects of the transfer of that data by [the controller] for the purposes of its 
subsequent processing/^^ 

The DPC notes that the DEASP wishes to distinguish Bara on its facts, since that case was 
concerned with the sharing of personal data between two public authorities whereas the 
core scope of this report is not concerned with data sharing.®^® Nevertheless, the DPC 
considers that the principles outlined by the CJEU in Bora and reasserted in subsequent case 
law is of relevance for this section. 

316. Thirdly , DEASP considers that the DPC, in its Draft Report failed to consider the "full suite of 
material" in relation to SAFE registration and the issuing of PSC which had been made 
available to the public.®^® This is considered further below. 

317. Fourthly, DEASP states that the SWCA 2005 in and of itself is sufficient to meet DEASP's 
transparency requirements but notwithstanding this, the combination of the full suite of 
other materials to which it refers should be "should be examined in combination with each 
other to determine if transparency requirements are met in a cumulative way" and that 
"each one piece of information does not have to fulfil the transparency requirements". This 
is also considered below. 


See for example, CJEU, Case C-201/14, Opinion of AG Cruz Villalon, Smaranda Bara and Others v Casa Nafionala de 
Asigurari de Sanatate and Others, 9 July 2015, para 74. 

Definition of "practicable" as "able to be done or put into practice successfully" taken from the Concise Oxford English 
Dictionary, 12"^ Edition 

CJEU, Case C-496/17, Deutsche Post AG v Hauptzollamt Koln, para 59. 

DEASP's Response to the Draft Report, Response to Transparency Findings 4 - 8 at paragraphs 13 -18. 

329 DEASP's Response to the Draft Report, Response to Transparency findings 4 - 8 at paragraph 9 and Part IV. 
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318. Fifthly, DEASP contends that it is not its responsibility to ensure that specified bodies explain 
why they are using the PSC, nor does DEASP accept that it is responsible for any failing on 
the part of a specified body to explain that DEASP carries out SAFE registration and issues 
the PSC. DEASP criticises the DPC in this regard for failing to clearly delineate between the 
responsibilities of DEASP in this regard and the responsibilities of specified bodies. Elowever 
the DPC rejects the position put forward by DEASP on this issue.DEASP is the data 
controller for the processing which it carries out, inter alia, in connection with conducting 
SAFE 2 registrations and the issuing the PSC. The DPC is satisfied that the findings of this 
investigation report are properly addressed to data protection obligations of DEASP in this 
context. 

319. Sixthly , DEASP argues that its customer complaints service has received very few complaints 
or representations from people who have been SAFE registered regarding any deficit in 
transparency to suggest that there might be a "serious deficit".While the DPC notes 
these assertions, the DPC does not consider that the volume of complaints received by a 
controller answers, as a matter of data protection law, the question of whether a controller 
is complying with its transparency obligations. The transparency obligations under section 
2D of the Acts are proactive in character, and cannot be satisfied by the ad hoc provision of 
information in the context of a complaint to DEASP. 

320. DEASP also states that, without prejudice to its position that it has not infringed section 2D 
of the Acts, it is willing to work on providing additional transparency, and invites the DPC to 
outline additional steps in this regard. For the reasons set out below in detail in this section, 
it is the DPC's view that a more focussed and easily understood privacy statement should 
be produced by DEASP to account for processing in connection with SAFE 2 and the PSC. 
Such a statement should be made available to account for processing carried out in 
connection with SAFE 2 and the PSC, explaining DEASP's specific data protection 
responsibilities, and including a comprehensive collective statement of the purposes of 
SAFE 2 registration and the PSC, together with information on the categories of data 
processed and retained, and the rights of data subjects in this context. 

321. The GDPR applies new, much more stringent, rules on transparency of processing, provided 
by Articles 12,13 and 14. Article 12 in particular requires that information must be provided 
to data subjects in a "concise, transparent, intelligible and easily accessible" manner. DEASP 
should consider how it can meet the transparency requirements of the GDPR, in respect of 
processing relating to the PSC and SAFE, (for example including by using mechanisms such 
as a layered privacy statement ) and enhance the accessibility and clarity of information 
relating to the use of the PSC and the SAFE registration process. 

4.2 Information made available by DEASP 

322. For the purposes of section 2D of the Acts, in its Draft Report the DPC assessed information 
made publicly available by DEASP in relation to the PSC and SAFE, and noted that it appears 


DEASP's Response to the Draft Report, Response to Transparency Findings 4 - 8 at paragraph 24. 
DEASP's Response to the Draft Report, Response to Transparency Findings 4 - 8 at paragraph 25. 
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that the primary sources of information currently available to the public on the PSC and 
SAFE are: 

• the SWCA 2005, 

• The DEASP Privacy Statement, published on 16 July 2018 on welfare.ie, 

• the Public Services Card website (psc.gov.ie) (December 2017), 

• the 'Comprehensive Guide to Safe Registration and the Public Services Card', 
published October 2017. 

323. In response to the DPC's draft report, the DEASP also points out that other sources of 
information are provided which explain the PSC/SAFE registration process. These include: 

• A face-to-face interview, which is carried out when a person attends to SAFE 2 
register. According to DEASP, at registration a staff member explains what categories 
of data are being processed, the purpose of processing and that they are undergoing 
an identity verification process. The data subject can also raise further queries in the 
registration centre.It also states that an information leaflet is available in the SAFE 
2 registration centres. This information leaflet became available in November 
2018,2^5 

• A letter providing an appointment to SAFE 2 Register, 

• DEASP's website ( www.welfare.ie) , 

• The Citizen Information Board (a separate entity), 

• A media campaign on the benefits of the PSC and MyGovID, (December 2017 - 
February 2018), 

• A website on the Public Services Card ( https://psc.gov.ie) , 

• Radio ads focusing on awareness and MyGovID, (January 2018), 

• Advertisements in weekend newspapers, on outside advertising boards, bus 
shelters, home panels and metro panels, as well as online advertisements (e.g. Irish 
Times and RTE website) and pay per click searches to connect with PSC related 
information, 

• Tweets. 

324. DEASP contends that it has made very significant attempts to meet the transparency 
requirements under the Acts and that the full extent of the information and 
communications on the PSC SAFE registration process should be considered when 
examining if transparency requirements have been met.^^^ 


Department of Employment Affairs and Social Protection, Privacy Statement available here 
http://www.welfare.ie/en/Pages/disclaimer.aspx# . Prior to the commencement of this investigation, the DEASP's 
online privacy statement only addressed processing relating to the website itself and provided general info on data 
protection rights. 

Public Services Card website available here https://psc.gov.ie/ 01 August 2018. 

The DPC were unable to independently verify the information provided, the DPC were also not provided with training 
materials that were used to train DEASP staff members. 

DEASP's Response to the Draft Report, Response to Transparency findings 4 - 8 at paragraph 22. 

DEASP's Response to the Draft Report, Response to Transparency findings 4 - 8 at Part IV. 

DEASP's Response to the Draft Report, Response to Transparency Findings 4 - 8 at paragraph 22. 
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325. With regard to the additional materials referred to above by DEASP in its response to the 
Draft Report, the DPC is not satisfied that all of the above sources of information can 
properly be considered as sources of information on processing of personal data . Many of 
the sources referred to provide general information about the PSC and SAFE 2 (e.g. how to 
get a card, or the purported benefits of the card) rather than specific information on the 
processing carried out by DEASP in this regard. In particular, the DPC is not satisfied that 
information provided to the public in the course of a general media campaigns (radio ads, 
tweets, bus shelter ads, etc.) contained the specific information necessary to comply with 
section 2D of the Acts. 

326. The DPC also notes that many of the sources identified above were provided many years 
afterthe implementation of the PSC and SAFE registration. In particular, the DPC notes that 
the Comprehensive Guide was only prepared in response to a request from the DPC, and 
published for the first time in October 2017. The PSC website^^® contains broadly similar 
information. The DPC also notes that the Comprehensive Guide has not been updated since 
October 2017 despite changes being made to the administration of the PSC^^®. The DPC 
considers that the Comprehensive Guide should be kept under constant review in light of 
developments in the PSC and SAFE, and should be updated accordingly. Furthermore, the 
DPC also notes by way of observation only that neither the PSC website nor the 
Comprehensive Guide provide sufficient information on the retention on individuals' 
documents used for the purposes of SAFE 2 registration. 

4.3 Information provided by the SWCA 2005 

327. In a statement on the PSC published on 25 August 2017,^'^° DEASP addressed how the public 
has been informed about the PSC and SAFE, as follows: 

The legislation underpinning the Department's application of the SAFE registration 
process and use of the PSC has been published and debated in the Oireachtas. Since the 
launch of the PSC in 2011, the Department has answered a considerable amount of 
guestions both in the Ddil and in the Irish media. 

328. The SWCA 2005 is, in theory, a detailed source of information on processing of personal 
data in relation to the PSC and SAFE (albeit that the SAFE registration process is itself is not 
expressly referred to or referenced by name anywhere in the SWCA 2005). It was also the 
primary source of information on SAFE registration and the PSC up until October 2017 when 
the DEASP's Comprehensive Guide was published. Elowever, the SWCA 2005 is an extremely 


www.psc.gov.ie 

For example, the DPC notes that DEASP has drafted proposed new wording to be inserted into the Comprehensive 
Guide in relation to the Free Travel variant of the PSC. This wording has not been implemented, but was referred to 
by DEASP in its response to the DPC's Request for Further Information 8 (DEASP's Submissions - Response to Request 
for Further Information 8 - paragraph 9) - DEASP stated that it would amend the Comprehensive Guide "at the 
earliest opportunity" 

"Statement on Public Services Card - 25th August 2017" available at 
https://www.welfare.ie/en/pressoffice/Pages/pr250817.aspx 10 August 2018 . 
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complex piece of legislation, having been modified on numerous occasions as outlined in 
Part One of the Report. In this respect, DEASP contends that the manner by which the SWCA 
2005 has been developed and amended overthe past years isfarfrom uncommon and that 
it is typically how legislation and policy develops in the Irish political and legislative 
systems.DEASP criticises the DPC for failing to acknowledge that the legislation 
underpinning the PSC has followed the standard legislative practice.DEASP points out 
that all legislation pertaining to the PSC has been unequivocally subject to equal 
parliamentary oversight, scrutiny and fully debated by the Oireachtas.Furthermore 
DEASP points out that all legislative measures have been enacted by way of primary 
legislation and DEASP does not rely on any delegated or secondary legislation in this regard. 
As such, DEASP considers that "the development of the PSC has gone through the rigours of 
the legislative process which is itself a highly transparent and controlled process."^*"^ 

329. Elowever, the DPC considers that DEASP's concerns in this regard are not well founded. In 
assessing whether DEASP has satisfied its transparency obligations under Section 2D of the 
Acts, the DPC has limited its examination to the question of whether the necessary 
information has been provided or made available to data subjects by the SWCA 2005. The 
principal question for determination is therefore whether data subjects have been informed 
about the processing of their personal data and not whether the development of 
underpinning legislation which is relied on by a controller for the processing has been 
undertaken in a manner which is considered typical in terms of promulgation of national 
legislation. 

330. The DPC notes that DEASP considers that "f/ieSl/l/CA 2005 is sufficient to meet transparency 
reguirements" It is also notable that, albeit in the context of DEASP's consideration of 
the Bara j udgment, DEASP states that "people are presumed to know the law and the CJEU 
recognised that the existence of a Romanian law [in that case] specifying transfer of income 
data would constitute sufficient "prior information" fulfilling transparency reguirements and 
dispensing with the need for further information to be provided" (emphasis added) The 
DEASP applies its analysis of that CJEU judgment to its own processing stating that: 

"The processing of personal data In connection with SAFE 2 registration and the 
public services card is comprehensively set out In the SWCA 2005... Thus the 
Department contends that the transparency reguirements under Section 2D of the 
Acts are met".^^^ 

331. While ignorance of the law does not provide immunity from criminal liability or legal 
obligations, the DPC does not accept that an equivalent presumption exists to the effect 
that data subjects are presumed to be aware of all information set down in legislation. 


DEASP's Response to the Draft Report, Response to Transparency Findings 4 - 8 at paragraph 28. 

DEASP's Response to the Draft Report, Response to Transparency Findings 4 - 8 at paragraph 29. 

DEASP's Response to the Draft Report, Response to Transparency Findings 4 - 8 at paragraph 29. 

DEASP's Response to the Draft Report, Response to Transparency Findings 4 - 8 at paragraph 29. 

DEASP's Response to the Draft Report, Response to Transparency Findings 4 - 8 at paragraph 10 and Part V. 

DEASP's Response to the Draft Report, Response to Transparency Findings 4 - 8 at paragraph 16. 

DEASP's Response to the Draft Report - Response to Transparency Findings 4 - 8 at paragraph 17. 
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Further to this, the DPC is satisfied that although the Bara judgment, referred to above, 
assessed legislation as a means of information provision, the Court in Bara did not create a 
presumption that information set down in law will, in every case, be regarded as compliant 
with Articles 10 and 11 of the Data Protection Directive. The DPC is satisfied that compliance 
with section 2D of the Acts requires the provision of information to data subjects in order 
to ensure fair processing; the question of whether information has been provided, or 
otherwise made available, to data subjects is matter of fact to be assessed by the DPC. It is 
in this context that the DPC has assessed the information provided to data subjects by the 
SWCA 2005. 

332. As has been observed by the DPC, the SWCA 2005 is an extremely complex piece of 
legislation. An administrative consolidation of this legislation was only made available by 
DEASP in February 2018, before which time, individuals who wished to understand the 
legislation governing the PSC and SAFE had to refer to the SWCA 2005 as well as five 
different primary enactments^"^® plus multiple amendment acts as detailed in Part 1.6. 

333. DEASP also takes issues with the DPC's statement that there is no single piece of legislation 
underpinning the PSC which provides it with a transparent, coherent and uniform legislative 
basis.In DEASP's view, the SWCA 2005 is "a single overarching piece of legislation". 
While technically the SWCA 2005 is a single piece of legislation, the DPC considers that as a 
matter of substance the numerous legislative amendments and insertions to it, as detailed 
in Part 1 of the report mean that, as a source of information for the purposes of section 2D, 
the SWCA 2005 as enacted is no longer adequate as the sole source of information for the 
purposes of section 2D of the Acts, for the reason that it has been amended extensively by 
other Acts, all of which would have to be consulted by a data subject seeking information 
in this manner. 

334. DEASP also states that it is a serious charge to contend that the law is incoherent or 
contradictory.In this regard, DEASP also says that the DPC's Draft Report suggests that 
the various Ministers who brought forward legislation to the Oireachtas relating to the PSC 
did so without a comprehensive knowledge or understanding of the measures being 
proposed, or existing measures in statute, and that the Oireachtas enacted poor and 
confused legal measures.^^^To be clear, the DPC considers that the attribution of such views 
by DEASP to the DPC is an inaccurate and misleading interpretation of the DPC's findings 
with regard to the data protection specific matters which it has examined in its 
investigation. The DPC does not make any comment as to the quality of the SWCA 2005 as 
a piece of legislation. Flowever, it is the DPC's function to assess compliance with data 
protection obligations of a controller - one being to establish the legal basis and another to 
identify whether information and transparency obligations towards data subjects have been 
met. DEASP's attribution to the DPC of generalised criticism of the SWCA 2005, the 


The Social Welfare and Pensions Act 2007, the Social Welfare and Pensions Act 2010, the Social Welfare and Pensions 
Act 2011 and the Social Welfare and Pensions Act 2012, the Social Welfare and Pensions Act 2014. 

DEASP's Response to the Draft Report - Response to Transparency Findings 4 - 8 at paragraph 30. 

DEEASP's Response to the Draft Report, Response to Transparency Findings 4 -8, at paragraph 30. 

DEASP's Response to the Draft Report, Response to Transparency Findings 4 - 8 at paragraph 30. 

DEASP's Response to the Draft Report, Response to Transparency findings 4-8 at paragraph 35. 


Page 127 of 172 



Oireachtas, or indeed the various Ministers is misguided and misleading as to the nature of 
the assessment performed by the DPC in this investigation. DPC's transparency findings are 
addressed to DEASP as a data controller. 


335. DEASP acknowledges that the SWCA 2005 is a long piece of legislation (stating that the Data 
Protection Act 2018 is not known for its brevity either) but states that the provisions on the 
PSC are contained within a few sections and any citizen consulting the SWCA 2005 would 
be able to find the heading "public services card" at Section 263 SWCA 2005 and could 
disregard the other matters relating to social welfare claims and payments, if necessary. 
The DPC finds this an extraordinary position to take. Section 263 alone has been amended 
by 3 other pieces of primary legislation^^"^ and in any event must be read in conjunction with 
Section 263A (inserted by the Social Welfare and Pensions Act 2011, and amended by the 
Social Welfare and Pensions Act 2014) and Section 263B (inserted by the Social Welfare and 
Pensions Act 2012). On any objective assessment, the SWCA 2005, with its numerous 
amendments and insertions, is a challenging piece of legislation to comprehend and indeed 
to consolidate (as set out in Annex 2 of this report). As such the DPC considers it completely 
unrealistic and unreasonable to suggest that an ordinary member of the public would find 
the SWCA 2005 an accessible means by which they could readily inform themselves about 
the processing of their personal data in connection with SAFE 2 registration and the issuing 
of the PSC. 

336. The DEASP maintains that both the publication of the consolidated text of the SWCA 2005 
and the Comprehensive Guide provide "o more accessibie means for peopie to ciarify 
information surrounding the processing operation" Elowever, the Comprehensive Guide 
was published in October 2017, on foot of a request from the DPC many years after the 
introduction of the PSC and the consolidated version of the SWCA 2005 was only published 
in February 2018. In any event, as noted above DEASP relies on the SWCA 2005 as a 
standalone means by which the transparency requirements in Section 2D of the Acts can be 
met. This assumes that the general public will be au fait with reading, understanding and 
analysing legislative text, which the DPC considers unrealistic in this case. 

337. The DEASP also states that "incrementai amendments do not negate or undermine the 
authority of a piece of iegisiation" and that the SWCA is no different to many pieces of 
primary legislation "that is constantiy updated to maintain pace with the evoiution ofpubiic 
poiicy".^^^ While this is not disputed, the DPC is nevertheless not satisfied that DEASP can 
rely on the SWCA 2005 as a source of "readily available" information for the purposes of 
section 2D(l)(a), in circumstances where the information is contained in complex 
legislative provisions and dispersed across a number of amending enactments which 
require cross-referencing on the part of the reader. 


DEASP's Response to the Draft Report, Response to Transparency Findings 4 - 8 at paragraph 30. 

Social Welfare and Pensions Act 2007; Social Welfare and Pensions Act 2012, s.3(e) of Social Welfare and Pensions 
Act 2014] 

DEASP's Response to the Draft Report- Response to Transparency findings 4-8 at paragraph 33. 

DEASP's Response to the Draft Report - Response to Transparency Findings 4 - 8 at paragraph 32. 
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338. As noted elsewhere in this report, the SWCA 2005 contains no explicit reference to SAFE 
registration by way of the acronym or full terminology. The DPC has acknowledged that 
when the specified means of identity verification in Section 263B are compared with the 
Comprehensive Guide that it is clear that SAFE 2 registration requirements correspond to 
elements of Section 263B SWCA 2005. Flowever the fact that the DPC's legal analysis of the 
provisions leads to that conclusion does not equate to it being apparent to a member of 
the public from reading the SWCA 2005 that it provides the basis for SAFE 2 registration. 

339. Further, the SWCA 2005 also does not address all purposes of processing associated with 
the PSC and SAFE required by section 2D(c) of the Acts. A data subject is also not in a 
position to learn of the existence of numerous processing operations by consulting the 
Act.^^^ For example, the Act does not expressly reference the SAFE 2 registration system or 
indeed address the purpose of creating a standard identity verification system, which was 
instead detailed in the unpublished 2013 Government Decision whereby it states that the 
PSC is a "standard identity verification scheme, which is to be used for access to all public 
services where appropriate".^^® The SWCA 2005 also does not make any reference to 
processing of photographs for matching purposes (i.e. using the CFIMS facial recognition 
software, which will be considered in a further separate report of the DPC as detailed in 
Part 1). 

340. DEASP maintains that the anti-fraud purpose of creating a secure identity authentication 
system, while unarticulated in Section 263, is "so underlying as to be obvious"®®® that it 
need not be mentioned and that it is unreasonable to expect this to be mentioned given 
the way legislation is drafted. Flowever the DPC disagrees and considers that relying on a 
proposition that a purpose for processing is so obvious that it is not required to be specified 
does not assist DEASP in demonstrating how the SWCA 2005 of itself satisfies the 
transparency obligations in Section 2D of the Acts. The DPC also notes that the above is 
one example of how the SWCA 2005 specifically fails to comply with section 2D of the Acts. 
The DPC notes that the infringements of section 2D set out further in this report are also 
relevant in the context of assessing the adequacy of information provided by the SWCA 
2005. 

341. Finally the DPC also notes that DEASP alleges that the DPC's statement in the Draft Report 
that it is not the case that each granular processing operation must have a specific legal 
basis for it is in contradiction with the DPC's criticism that the SWCA 2005 does not address 
all the purposes of processing.®®® In this regard, it is not correct to say that the obligation 
to provide information on the intended purposes for processing under section 2D of the 
Acts can be satisfied by the provision of a single, general purpose. While it is not necessary 
for each granular processing operation to be separately spelled out (e.g. collection. 


In accordance with recital 38 of the Data Protection Directive 'if the processing of data is to be fair, the data subject 
must be in a position to learn of the existence of a processing operation and, where data are collected from him, 
must be given accurate and full information, bearing in mind the circumstances of the collection'. 

Department of Public Expenditure and Reform, " e-Government Strategy, Annex B - Adoption Plan for the Public 
Services Card and MyGovID". 

DEASP's Response to the Draft Report - Response to Transparency Findings 4 - 8 at paragraph 39. 

DEASP's Response to the Draft Report - Response to Transparency Findings 4 - 8 at paragraph 37. 
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storage, consulting etc.), where there are a range of different purposes for which personal 
data is processed, then each such purpose must be identified in accordance with Section 
2D of the Acts. 

342. Accordingly, irrespective of how typical the SWCA 2005 may be in its legislative 
development and how obvious DEASP argue certain purposes may be based on the 
provisions of the SWCA 2005, for the reasons above the DPC does not consider that the 
SWCA 2005 alone satisfies the obligation to provide transparent information on the 
processing in question, in particular in relation to the purposes for processing, under 
Section 2D of the Acts. 


FINDING 4 

THE DATA PROTECTION COMMISSION IS NOT SATISFIED THAT THE SOCIAL WELFARE 
CONSOLIDATION ACT 2005 ALONE PROVIDES DATA SUBJECTS WITH SUFFICIENT 
INFORMATION ON THE PSC AND SAFE 2 REGISTRATION, PARTICULARLY WITH REGARD TO 
PURPOSES OF PROCESSING, TO MEET DEASP'S TRANSPARENCY OBLIGATIONS UNDER 
SECTION 2D OF THE ACTS. 


4.4 Information provided by the DEASP Privacy Statement 

343. DEASPs website contains a general information page on data protection, with links to a 
"Privacy Statement", as well as a "Data Protection Policy". The latter sets out information 
on controller obligations and data subject rights, and as such, is a high-level summary of the 
main elements of data protection law. DEASP's Privacy Statement is a general statement of 
all DEASP data processing. As regards information specific to processing by DEASP, this is in 
the main set out in the Privacy Statement. Accordingly, the DPC has examined DEASP's 
Privacy Statement with regard to compliance with Section 2D of the Acts. The DPC'S Draft 
Report considered the version which was published in July 2018. However on foot of the 
DPC's comments from the Draft Report, DEASP informed the DPC that notwithstanding its 
objections to the DPC's provisional findings as to the deficit in transparency it had revised 
the general privacy statement published on its website. The revised document was dated 
leJuly 2018.^®^ 

344. The DEASP Privacy Statement currently published on DEASP's website is stated to have been 
last modified on 30 April 2019. Accordingly the DPC has assessed that revised Privacy 
Statement for the purposes of this report. 

345. Section 2 ("When we collect your information") sets out "the common situations where 
[DEASP] collect personal data". This includes at Section 2.2 "In order to validate and 
authenticate your identity, which involves a process called Standard Authentication 
Framework Environment (SAFE) registration, and to provide a Public Services Card (PSC) as 


DEASP's Response to the Draft Report - Part 7 - Appendix 7. 
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a token of the SAFE registration". Additionally, Section 5.2 of the Privacy Statement ("The 
Categories of Processing undertaken by this Department") states that a person's data is 
processed "[t]o undertake SAFE registrations in order to validate and authenticate identity 
and to provide Public Services Cards (PSCs)". Section 9.1, entitled "will your personal data 
collected be used for any other purpose?" provides a very general overview of DEASP's 
power "to collect and process personal data for a range of reasons". It states that "we are 
also allowed to collect our data for a specific reason and use it for another related purpose", 
and refers to the SWCA 2005 in this regard. This section goes on to give two examples of 
where personal data will be collected for one purpose and used for another. 

346. Section 7.1 of the Privacy Statement deals with the categories of recipients with whom 
DEASP may share personal data. It provides a non-exhaustive list of the types of 
organisations that DEASP would "normally share information with", "but only where a 
legally enforceable data sharing agreement is in place". It also states that the DEASP can 
share a person's public service identity details with a range of organisations as listed in 
schedule 5 of the SWCA 2005. 

347. In Section 8.2. ("Plow long will we keep your personal data"), the Privacy Statement states 
that "original documentation, including photographic images underpinning identity 
authentication (SAFE registration) are retained for the purpose of internal audit 
reguirements or instances where an offence may be subseguently investigated or prosecuted 
under either Social Welfare or Criminal Justice legislation". 

348. The DPC considers that notwithstanding the revisions made to it since the Draft Report 
(including new references to the purposes of processing and retention of personal data in 
connection with SAFE registration and the PSC at points 2.2, 5.2, and 8.2) the Privacy 
Statement provides a high-level overview of DEASP processing, using very generalised and 
non-specific descriptions of fundamental issues such as the purposes of the processing, and 
recipients of personal data, without sufficient detail to meet the requirements of section 
2D of the Acts. For example, there are only three summary references to the PSC/ SAFE 
registration (as detailed above), the high impact processing on the data subject (which the 
DPC considers is required under the principle of fairness, and section 2D(2)(d) of the Acts) 
such as making it clear that the retention of the original documentation for SAFE (referred 
to in Section 8.2) is for the lifetime of the data subject, that there is no right to erasure in 
relation to such data^“ and that even where new photographs are taken for the purposes 
of renewing a PSC that the old photographs are also retained indefinitely. (These 
observations of the DPC are without prejudice to the DPC's findings elsewhere in this report 
on such issues e.g. the legality of indefinite retention of the underpinning SAFE registration 
documentation). Equally, there is no reference to high impact processing such as facial 
matching of photographs carried out (i.e. using the CFIMS facial recognition software, which 
as noted previously will be considered in a separate report by the DPC on the PSC). 
Additionally, the overriding lack of specificity in the Privacy Statement on the processing of 


In this regard, Section 10.2 states in a generalised fashion (rather than specific to the context of processing in 
connection with SAFE registration and the issuing of PSCs) that "the Department has an overall data retention policy 
that states that some customer services data may be retained indefinitely for various reasons". 
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data collected for the purposes of SAFE 2 registration and the issuing of the PSC, on key 
issues such as transfer and sharing of this personal data and how it may be used for other 
purposes means that the DEASP Privacy Statement is too high level and generalised to 
satisfy the transparency requirement applicable to DEASP in relation to the processing 
operations specially relating to SAFE 2 registration and the issuing of PSCs. In particular, the 
DPC considers that the Privacy Statement does not include sufficient information on SAFE 
2 registration and the PSC card for the purposes of sections 2D(2)(c) and (d) of the Acts, and 
in particular, information on: the purposes for intended processing, the recipients or 
categories of recipients of personal data, and the consequences of refusing to provide 
information requested for the purpose of SAFE 2 registration. 

349. The Department maintains that the Privacy Statement is designed to address all activities 
of the DEASP and it is "unfair to castigate the Privacy Statement for lack of specificity on the 
PSC when viewed in this context" It also "pushes back against the suggestion that the 
Privacy Statement is designed to be a one-stop shop for information on the PSC, bearing in 
mind the risk of information fatigue, and the approach of layering suggested by the WP 

2g" 364 

350. In accordance with Section 2D, a data subject must be able to determine from a privacy 
statement, amongst other things, the purposes of processing so that they are aware of how 
their data will be used and so that they can understand how they might exercise their data 
protection rights. For the reasons discussed above, and bearing in mind the fact that the 
Privacy Statement is an initial layer of information provided to data subjects, the DPC 
considers that DEASP's Privacy Statement is too general, and is not specifically addressed 
to the particular processing operations carried out in connection with SAFE registration and 
the issuing of the PSC to satisfy the requirements of Section 2D in relation to these particular 
processing operations. 

351. While DEASP contends that consulting DEASP's website leads a person to a dedicated PSC 
website, the DPC considers that this dedicated website falls to be considered separately 
from DEASP's Privacy Statement. In any event, the DPC notes that to navigate to the PSC 
specific website, a person must first navigate to the Public Services Identity page on the 
www.welfare.ie website, then must navigate to a PSC page on the www.welfare.ie website, 
and from there (having scrolled to the bottom of that page) must access the separate PSC 
website ( www.psc.gov.ie ). Accordingly, the DPC does not consider that the Privacy 
Statement can be regarded as sufficient for the purposes of providing an initial layer of 
information to data subjects, in circumstances where the statement is not linked to detailed 
information on processing in an appropriate manner. 


DEASP's Response to the Draft Report - Response to Transparency Findings 4 - 8 at paragraph 45. 
DEASP's Response to the Draft Report - Response to Transparency Findings 4 - 8 at paragraph 49. 
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FINDINGS 

THE DATA PROTECTION COMMISSION IS NOT SATISFIED THAT DEASP'S PRIVACY 
STATEMENT PROVIDES DATA SUBJECTS WITH SUFFICIENT INFORMATION IN RELATION TO 
PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE ISSUE OF THE PSC AND SAFE 
2 REGISTRATION TO MEET DEASP'S TRANSPARENCY OBLIGATIONS UNDER SECTION 2D OF 
THE ACTS. 


4.5 Card data 

4.5.1 Card Data Updates 

352. DEASP confirms that although a person is only required to undertake a SAFE registration 
once, information "may need to be updated if a person's circumstances change". It suggests 
that possible changes to the PSI dataset include change of name (i.e. on marriage), address, 
nationality (i.e. on naturalisation) or sex (i.e. gender reassignment). 

353. The PSC is valid for seven years and may be replaced if lost. A new PSC may also be required 
when a person reaches the age of 66 and wishes to avail of a card with free travel 
functionality. It appears that in almost all circumstances, any necessary updates of a PSC 
card require in person attendance at a SAFE registration centre. 

Information on consequences of not updating PSC information 

354. In its Draft Report, the DPC stated its provisional view that there was insufficient 
transparency to the public about whether updates due to a change in a PSC cardholder's 
circumstances are required to be provided by the cardholder. The DPC noted that there is 
no information available to the public about whether there are sanctions for not making 
such updates, or indeed, whether any such sanction might extend to the withdrawal or 
cessation of benefits and/or services. In response to these issues, the DEASP states that "in 
the context of solely being a PSC holder, the person is free to notify but is not required" 
[emphasis added].It maintains that no "direct sanctions" are applied to persons who fail 
to update their PSC or PSI dataset information, and that this, "does not in itself lead to 
cessation of benefits or services".DEASP further contends that in the use of the language 
"may need to be updated" (i.e. as used in the response Question 23 in the Comprehensive 


DEASP Comprehensive Guide to SAFE registration and the PSC - Response to Question 23 ("How frequentiy wili an 
individuai be required to update their data for safe? E.g. photograph"). 

DEASP's Response to the Draft Report - Response to Transparency Findings 4 - 8 - Paragraph 4. 

DEASP's Response to the Draft Report - Section 4.2.2, Paragraph 8 "Quite simpiy DEASP has no direct sanctions 
applied to persons who fail to notify a change in or to update PSC or PSI data set information. This does not in itself 
lead to cessation of benefits or services". 
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Guide) there is no suggestion of an explicit requirement imposed on a person with any 
attaching sanctions.^®® 

355. However DEASP goes on to consider the position with regard to conditions of receipt for 
any benefit/ assistance. It states that if it transpires that a person has had a material change 
in circumstances such as an increase in household income that may have a consequential 
effect on the person's benefit entitlement, then pursuant to Section 334(2) SWCA 2005, if 
a question arises as to whether the conditions for payment of a benefit are or were fulfilled 
or a decision that such a payment/ benefit ought to be revised, then suspension of the 
payment may take place until the question has been decided.^®® DEASP states that 
recipients of social welfare/ assistance payments are regularly and consistently informed 
that they are responsible for informing DEASP of any change in their circumstances and that 
failure to do so may affect their entitlement.®^® As outlined in Part 3 of the report, persons 
are required to obtain a PSC in order to claim, present for payment of, or receive a benefit. 
Therefore, because the use of the PSC is inextricably linked to (as a condition of) claiming a 
benefit, the DPC considers that the consequences of not updating their information (as 
recorded on their PSC) must be clearly spelled out by DEASP. For example, the DPC notes 
that DEASP can impose sanctions and penalties for not notifying the Minister of a change in 
circumstances such a change of address®®^ which can affect the entitlement to a benefit.®^® 
As such, the DPC considers that the consequences of any such failures to update PSC 
information which can impact on the entitlement to a benefit must be provided to persons 
who are or have been SAFE registered to obtain a PSC for the purposes of claiming, 
presenting for payment of, or receiving a benefit. This is an essential requirement of the 
obligation in Section 2D(2)(d) of the Acts that such information must be provided to a data 
subject having regard to the specific circumstances in which personal data is processed, 
which is necessary to enable the processing to be fair. 

356. Separately, DEASP states that specified bodies other than DEASP may have consequences 
for persons who engage in transactions with them if they do not update information 
provided in the context of SAFE 2 registrations. DEASP contends that it is a matter for the 
relevant specified body to provide the information on the possible consequences of 
same.®®® However, the DPC does not agree with this position. As the sole body conducting 
SAFE 2 registration and issuing PSCs in the State, the DPC considers that it is the 
responsibility of DEASP, the data controller, at the time of collecting personal data for the 
purposes of SAFE 2 registration and the issuing of a PSC (irrespective of the purpose for 
which it may be used) to provide fulsome information about the relevant potential 


DEASP's Response to the Draft Report also point out in section 4.2.2 at paragraph 7 (footnote 48) that the card carrier 
letter that people receive when they receive the PSC in the post states "if any information is incorrect please contact 
the Department's helpdesk at 01-7043281". 

DEASP's Response to the Draft Report Section 4.2.2, paragraph 9. 

DEASP's Response to the Draft Report Section 4.2.2, paragraph 10. 

A data subject's address forms part of the PSI dataset. A change of address could for a variety of payments amount 
to a change in circumstances which affect the right to or receipt of a benefit. 

See for example. Article 209, S.l. No. 142/2007 - Social Welfare (Consolidated Claims, Payments and Control) 
Regulations 2007. 

DEASP's Response to the Draft Report Section 4.2.2, paragraph 12. 
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consequences of not updating PSC and PSI dataset information in relation to availing of 
transactions or services with a particular public body. 

Updating of the PSI dataset 

357. As noted previously, section 262(5) of the SWCA 2005 (as amended) states that: 

where a specified body collects from a person any of the information specified 
in subsection (3), that information shall also be collected for the purpose of maintaining 
the person's public service identity. 

358. In addition, section 267(1) and (2) SWCA 2005 (as amended) provides: 

(1) Notwithstanding anything contained in any other enactment, a specified body may 
share any information, that may be prescribed, with the Minister for the purpose of 
seeking from the Minister the personal public service number for each person in respect 
of whom the information is shared. 

(2) Information received by the Minister under subsection (1) may be used by the Minister 
for the purpose of identifying the personal public service number for each person in 
respect of whom such information is received and for updating the Minister's own 
records in respect of that person, (emphasis added] 

359. It is quite possible that during a person's interaction with a public body, updated 
information will be provided that is pertinent to one or more items on the PSI dataset. As 
referred to above, the legislation (Section 262(5)) provides that a specified body should 
collect this information for the purposes of maintaining the PSI. In its Draft Report, the DPC 
stated that DEASP should ensure that there is no confusion amongst PSC cardholders in 
relation to where the responsibility lies for updating PSI information. In response DEASP 
states that: 

"..while a person who has a more recent interaction with another specified body (as 
opposed to DEASP) may update their information with that body, in reality, this updated 
PSI information is not as a matter of course passed over to DEASP. The specified body 
may not apply the same criteria for updating a part of the PSI e.g. name; therefore the 
Department would not automatically update someone's PSI as a result of them notifying 
a specified body of the change. The legislation allows for it to happen but particularly 
where a person is at SATE 2, strict criteria must be met for a PSI data item to be changed. 
Therefore the source of truth is the data that DEASP holds, rather than the specified 
body".^^'* 

360. The DPC finds the above most confusing. Essentially DEASP seems to say that a person can 
be SAFE registered, with the PSI dataset relating to that person held by DEASP but that 


DEASP's Response to the Draft Report Section 4.2.2, paragraph 13. 
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person can then provide different (i.e. updated) information (such as a name change) to 
another specified body which will hold that different information but the change/ update 
to the information may or may not be passed to DEASP to update the PSI dataset. Therefore 
the PSI dataset held by DEASP may or may not accord with the information held by the 
specified body. The DPC notes, by way of example of the lack of clarity on what is actually 
happening in practice, that DEASP confirmed to the DPC that where individuals engaged 
with the Road Safety Authority, the DEASP received updated PSI information.The DPC 
also notes that the Comprehensive Guide states that "the dataset can be kept up to date by 
using data from the person's most recent interaction with a specified body"^^^. It therefore 
appears to the DPC that sufficient information, for the purposes of section 2D, has not been 
provided to the public in relation to the circumstances in which personal data will be passed 
by specified bodies to DEASP, and used to update the PSI dataset. 


FINDING 6 

THE DATA PROTECTION COMMISSION FINDS THAT DEASP HAS CONTRAVENED SECTION 
2D(2)(d) OF THE ACTS, BY FAILING TO PROVIDE DATA SUBJECTS WITH SUFFICIENT 
INFORMATION CONCERNING THE RELEVANT POTENTIAL CONSEQUENCES FOR A PSC 
CARDHOLDER WHO FAILS TO UPDATE INFORMATION PROVIDED IN THE CONTEXT OF A 
SAFE 2 REGISTRATION. 


FINDING? 

THE DATA PROTECTION COMMISSION FINDS THAT DEASP HAS CONTRAVENED SECTION 
2D(2)(d) OF THE ACTS, BY FAILING TO PROVIDE DATA SUBJECTS WITH SUFFICIENT 
INFORMATION CONCERNING THE CIRCUMSTANCES IN WHICH INFORMATION PROVIDED 
TO ANOTHER PUBLIC BODY (NOT DEASP) WILL BE PASSED TO DEASP AND USED TO UPDATE 
THE PSI DATASET. 


4.6 Transparency in relation to data retention 

361. Part 3.6 of this report deals with the matter of data retention and the following should be 
read in conjunction with the DPC's consideration of DEASP's practice of indefinitely 
retaining identity authentication documentation and information which is collected during 
the SAFE registration process. 


DEASP's Response to the Draft Report - Response to Request for Further Information 3 - Paragraph 2, 

DEASP Comprehensive Guide - Answer to Question 20 ("What governance mechanisms have been put in place to 
oversee and underpin the sharing of PSI data? Will these arrangements be made public?") 
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362. The DPC does not consider that DEASP, as a data controller, has provided a satisfactory 
explanation to the public for the indefinite retention of personal data (the underpinning 
original documentation) collected as part of the SAFE 2 registration process. As set out in 
Finding 3, the DPC considers that the purposes for which the information is collected does 
not justify the indefinite retention of all underlying SAFE 2 registration documentation. 

363. The DPC notes that there is no reference to the length or purposes of retention of the 
underlying SAFE registration documents in the Comprehensive Guide. The DPC also notes 
that DEASP's current Privacy Statement (on www.welfare.ie ) states at Section 8 ("Flow long 
will we keep your personal data?") that: 

"original documentation, including photographic images underpinning identity 
authentication ( SAFE registration) are retained for the purpose of internal audit 
reguirements or instances where an offence may be subseguently investigated or 
prosecuted under either Social Welfare or Criminal Justice legislation." 

364. Quite aside from the DPC's finding that the retention of such identity authentication 
documentation contravenes the obligation in Section 2(l)(c)(iv) not to keep the personal 
data for longer than is necessary for the purposes for which they were collected, the DPC 
does not consider that the above statement is a sufficiently adequate explanation of the 
purposes to which the persona data in question which is retained may be put and the 
potential scope of the processing which may take place beyond the completion of the SAFE 
registration process. The statement above is highly generalised and is not a sufficient 
explanation of relevant issues which the DPC considers must be included as a requirement 
of the fairness element under Section 2D(2)(c) and (d). This includes failing to explain that 
the entirety of all such material is kept for the lifetime of the person who applies for SAFE 
2 registration,^” including old photographs (i.e. where a more up to date photograph has 
been taken) and arithmetic templates and the purposes of such retention. 

365. DEASP has provided the DPC with a Data Retention Policy - Guidelines and Procedures 
dated November 2018, however, this, to the DPC's knowledge, has not been published, and 
so cannot be regarded as information provided to or otherwise made readily available to 
persons engaging with the SAFE 2 process.”® 

366. By way of further response, DEASP states that the retention of a person's photograph and 
signature is provided for under Section 263B(2) of the SWCA 2005.®®° For the reasons set 
out in 4.3, the DPC does not consider that the provisions of the SWCA 2005 are an answer 
to the transparency obligations of DEASP. In this regard, the DPC also notes that section 
263B(2) envisages the retention of certain categories of data, it does not provide, or make 
available, information on the extensive and indeterminate retention of personal data 


DEASP's Response to the Draft Report Sections.2.2. paragraph 14. 

DEASP's Response to the Draft Report Section 3.2.2, paragraph 31. 

DEASP's Response to the Draft Report, Appendix 1 to response to Provisional Finding no.10. 
DEASP's Response to the Draft Report, Section 4.3 paragraph 3. 
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obtained in the context of SAFE 2 Registration, nor does this provision provide for the 
indefinite retention of personal data generally in this context. 

367. Further, DEASP contends that all persons attending for SAFE registration have a face-to-face 
interview with trained staff members of DEASP and customers have "ample opportunity to 
make Inquiries In person from a trained officer of the Department about any matter relating 
to SAFE registration, Including the retention of data" The DPC does not consider that 
such "an ample opportunity" to ask questions of a DEASP officer in any way satisfies DEASP's 
obligation in Section 2D(2)(d) of the Acts that such information must be provided to a data 
subject having regard to the specific circumstances in which personal data is processed, 
which is necessary to enable the processing to be fair. 

368. Pursuant to Article 13(2)(a) GDPR and Article 14(2)(a), controllers are required to provide 
the data subjects with the period for which the personal data will be stored, or if that is not 
possible, the criteria used to determine that period. This is linked to the data minimisation 
principle set down in Article 5(l)(c) and the storage limitation principle in Article 5(l)(e). 


FINDINGS 

THE DATA PROTECTION COMMISSION FINDS THAT DEASP HAS CONTRAVENED THE 
TRANSPARENCY AND FAIRNESS REQUIREMENTS OF SECTION 2D(2)(c) AND (d) OF THE 
ACTS, BY FAILING TO PROVIDE DATA SUBJECTS WITH SUFFICIENT INFORMATION 
CONCERNING THE PURPOSES AND JUSTIFICATION FOR INDEFINITELY RETAINING 
DOCUMENTS AND INFORMATION USED TO IDENTIFY AN INDIVIDUAL FOR THE PURPOSE 
OF INITIAL SAFE 2 REGISTRATION. 


DEASP's Response to the Draft Report, Provisional Finding 10 at paragraph 4. 
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PART FIVE 


SUMMARY TABLE and UNOFFICIAL CONSOLIDATION 
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ANNEX 1 


COMPARATIVE TABLE 


SECTIONS 241, 247C, 263B SWCA 2005 
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Section 241, SWCA 2005 
(Claims) 


Section 247C, SWCA 2005 (Benefits) 


Section 263B, SWCA 2005 (PSC) 


SAFE 2 Registration Steps (per 
Question 7, DEASP 
Comprehensive Guide to 
SAFE Registration and the 
Public Services Card) 


Other 

Authentication 

Methods: 


(1C) For the purposes of 
satisfying himself or herself as 
to the identity of a person 
who makes a claim for 
benefit, the Minister may, 
without prejudice to any 

other_method_of 

authenticating the identity of 

that person, request that 
person— [emphasis added] 


(3) A notice under subsection (1) may 
require the person to whom it is given to 
do one or more than one of the 
following, as the Minister considers 
appropriate, at the time specified in the 
notice, or at any time thereafter as may 
be determined by the Minister and 
notified to the person: [...] 

(5) This section shall not be construed as 

preventing the Minister from using a 

method of authentication of the identity 

of a person in receipt of benefit, other 

than a method referred to in this section, 

which the Minister considers appropriate 

to use , [emphasis added] 


(1) For the purposes of satisfying 
himself or herself as to the identity of 
a person in respect of whom a 
personal public service number is to 
be allocated and issued under section 
262, or in respect of whom a public 
services card is to be issued under 
section 263, the Minister may, 
without prejudice to any other 

method of authenticating the identity 

of that person, request that person — 
[emphasis added] 


Not applicable 
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Attendance: 

(a) to attend at an office of the 
Minister or such other place 
as the Minister may designate 
as appropriate, 

(a) attend at an office of the Minister or 
such other place as the Minister may 
designate as appropriate; 

(a) to attend at an office of the 
Minister or such other place as the 
Minister may designate as 

appropriate. 

a face-to-face meeting at an 

Intreo centre or a dedicated 

SAFE registration centre 

Provision of 

information: 

(b) to provide to the Minister, 

at that office or other 

designated place, such 

information and to produce 
any document to the Minister 
as the Minister may 
reasonably require for the 
purposes of authenticating 
the identity of that person. 

(b) provide to the Minister, at that office 
or other designated place, such 
information and to produce any 

document to the Minister as the Minister 

may reasonably require for the purposes 
of authenticating the identity of that 

person; 

(b) to provide to the Minister, at that 
office or other designated place, such 
information and to produce any 

document to the Minister as the 

Minister may reasonably require for 
the purposes of authenticating the 
identity of that person. 

the collection and verification 

of the basic identity 

information known as the 

person's Public Service 
Identity (PSI) data set and 

the examination/ validation/ 

verification of at least two 

documents supporting 

identity 

Photograph / 
image: 

(c) to allow a photograph or 
other record of an image of 
that person to be taken, at 

that office or other 

designated place, in electronic 
form, for the purposes of the 
authentication, by the 

Minister, at any time, of the 
identity of that person, and 

(c) allow a photograph or other record of 
an image of that person to be taken, at 
that office or other designated place, in 
electronic form, for the purposes of the 
authentication, by the Minister, at any 
time, of the identity of that person; 

(c) to allow a photograph or other 
record of an image of that person to 
be taken, at that office or other 
designated place, in electronic form, 
for the purposes of the 

authentication, by the Minister, at any 
time, of the identity of that person, 

and 

Photo-matching 
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Signature: 

(d) to provide, at that office or 
other designated place, a 
sample of his or her signature 

in electronic form for the 

purposes of the 

authentication, by the 

Minister, at any time, of the 
identity of that person. 

(d) provide, at that office or other 
designated place, a sample of his or her 
signature in electronic form for the 
purposes of the authentication, by the 
Minister, at any time, of the identity of 
that person. 

(d) to provide, at that office or other 
designated place, a sample of his or 
her signature in electronic form for 
the purposes of the authentication, 
by the Minister, at any time, of the 
identity of that person. 

Not referenced in question 7 

response 

Retention: 

(ID) The Minister shall retain 

in electronic form- 

(4) The Minister shall retain in electronic 

form- 

(2) The Minister shall retain in 

electronic form- 

Not referenced in question 7 

response 


la) any photograph or other 
record of an image of a person 
taken pursuant to subsection 
(lC)(c), and 

(b) any signature provided 
pursuant to subsection 
(lC)(d), 

in such manner that allows 

such photograph, other 
record or signature to be 
reproduced by electronic 

means. 

la) any photograph or other record of an 
image of a person taken under 
subsection (3)(c), and 
(b) any signature provided under 
subsection (3)(d), 

in such manner that allows such 

photograph, other record or signature to 
reproduced by electronic means. 

la) any photograph or other record of 
an image of a person taken pursuant 
to subsection (l)(c), and 
(b) any signature provided pursuant 
to subsection (l)(d), 

in such manner that allows such 

photograph, other record or 
signature to be reproduced by 

electronic means. 
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ANNEX 2 


Social Welfare Consolidation Act 2005 


Extracted Sections (Unofficial Consolidation) 
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Social Welfare Consolidation Act 2005 
Extracted sections updated by DPC's office. 


Claims 

241.—(1)^“ It shall be a condition of any person's right to any benefit that he or she— 

(a) makes a claim for that benefit in the prescribed manner, and 

(b) satisfies the Minister as to his or her identity. 

(1C)383 pq|, |-[.^g pLif-poses of satisfying himself or herself as to the identity of a person who 
makes a claim for benefit, the Minister may, without prejudice to any other method of 
authenticating the identity of that person, request that person- 

jo) to attend at an office of the Minister or such other place as the Minister may designate 
as appropriate, 

(b) to provide to the Minister, at that office or other designated place, such information 
and to produce any document to the Minister as the Minister may reasonably require 
for the purposes of authenticating the identity of that person, 

(c) to allow a photograph or other record of an image of that person to be taken, at that 
office or other designated place, in electronic form, for the purposes of the 
authentication, by the Minister, at any time, of the identity of that person, and 

(d) to provide, at that office or other designated place, a sample of his or her signature in 
electronic form for the purposes of the authentication, by the Minister, at any time, 
of the identity of that person. 

(10)384 j[.^g Minister shall retain in electronic form- 

jo) any photograph or other record of an image of a person taken pursuant to subsection 
(lC)jc), and 

(b) any signature provided pursuant to subsection jlC)(c/), 

in such manner that allows such photograph, other record or signature to be 
reproduced by electronic means. 

(2) Where a person fails to make a claim for benefit (including any increases of that 
benefit) within the prescribed time, he or she shall be disqualified for payment- 


As amended by s.15 of 12/2012 
383 As inserted by s.l5 of 12/2012 
38'* As inserted by s.l5 of 12/2012 
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in the case of State pension (contributory), State pension (transition), widow's 
(contributory) pension, widower's (contributory) pension, surviving civil partner's 
(contributory) pension or guardian's payment (contributory), in respect of any 
period more than 6 months before the date on which the claim is made, 

(aa)^“ in the case of medical care, in respect of any period more than 12 months before 
the date on which the claim is made, 

{b] in the case of invalidity pension, in respect of any period more than 6 months 
before the date on which the claim is made, 

(c) ^®^ in the case of jobseeker's benefit, health and safety benefit, adoptive benefit, 

paternity benefit, occupational injuries benefit (other than disablement benefit 
under section 75 , an increase in disablement benefit under sections 77 and 7^ or 
death benefit by way of pension under sections 81 and ^ ), carer's benefit, 
bereavement grant, widowed or surviving civil partner grant, jobseeker's 
allowance, pre-retirement allowance. State pension (non-contributory), blind 
pension, widow's (non-contributory) pension, widower's (non-contributory) 
pension, surviving civil partner's (non-contributory) pension, guardian's payment 
(non-contributory), one-parent family payment, carer's allowance, farm assist, 
working family payment and back to work family dividend, in respect of any period 
before the date on which the claim is made, 

(d) ^®® in the case of illness benefit, or disability allowance, in respect of any period 

more than 7 days before the date on which the claim is made, 

(e) in the case of maternity benefit— 

(i) where the claim is made before the end of the week of confinement, in 
respect of any period before the beginning of the week in which the claim is 
made, 

(ii) where the claim is made after the end of the week of confinement, in respect 
of any period before the beginning of the 7th week before the week in which 
the claim is made not being earlier than the beginning of the week of 
confinement, 

and 

(/)^*® in the case of disablement benefit under section 75 , an increase in disablement 
benefit under section 77 or 78 or death benefit by way of pension under section 


As amended by s 4(1) of Social Welfare Law Reform and Pensions Act 5/2006; s.26 of 37/2010 and by s.9 of 37/2011 
386 Inserted by s.10(d) of Social Welfare and Pensions Act 8/2007 

As amended by s 4(1) of Social Welfare Law Reform and Pensions Act 5/2006; s.26 of 37/2010; s.5 of 9/2011; s.l4 of 
12/2015; S.16 of 15/2016 and s.8 of 38/2017 

As amended by s 4(1) of Social Welfare Law Reform and Pensions Act 5/2006 
As amended by s 5(3)(b) of Social Welfare and Pensions Act 9/2011 
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81 or 83 , in respect of any period more than 3 months before the date on which 
the claim is made. 

(2A)^®° In the case of a claim for— 

(o) State pension (transition) made before 5 April 2012, or 

{b] State pension (contributory), widow's (con-tributory) pension, widower's 
(contributory) pension, surviving civil partner's (contributory) pension and 
guardian's payment (contributory) made before 6 April 2012, 

subsection (2)(o) shall be read as if '12 months' were substituted for '6 months'. 


(3) Notwithstanding paragraphs (c), (d), (e) and (f) of subsection (2), in the case of a 
benefit to which those paragraphs apply, where a claimant proves to the satisfaction 
of a deciding officer or an appeals officer that— 

(o) on a date earlier than the date on which his or her claim for benefit (including any 
increase of benefit) was made, apart from satisfying the condition of making a 
claim, the claimant was entitled to benefit, and 

{b] throughout the period between the earlier date and the date on which his or her 
claim was made there was good cause for the delay in making a claim, 

he or she shall not be disqualified for receiving payment in respect of any such period 
referred to in paragraph (a) which does not exceed 6 months before the date on which 
the claim is made. 

(4) A person who fails to make a claim for child benefit within the prescribed time shall be 
disqualified for payment in respect of any day before the date on which the claim is 
made unless a deciding officer or appeals officer is satisfied that there was good cause 
for delay in making the claim, in which case, child benefit shall be payable from the first 
day of the month following that in which the claimant became a qualified person within 
the meaning of section 220 . 

(4A)39i (o) a person who fails to make a claim for domiciliary care allowance within the 
prescribed time shall be disqualified for payment in respect of any day before the 
first day of the month following the day on which the claim is made. 

{b] Notwithstanding paragraph (o), where a deciding officer or an appeals officer is 
satisfied that— 

(i) on a date earlier than the first day of the month following the day on which the 
claim was made, apart from satisfying the condition of making a claim, the 


^90 As inserted by s.9 of 37/2011 

^91 As substituted by s.lO of Social Welfare And Pensions Act 2009 
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person became a qualified person within the meaning of section 186D(1) 
(inserted by section 15 of the Social Welfare and Pensions Act 2008 ), and 

(ii) throughout the period between the earlier date and the date on which the claim 
was made there was good cause for the delay in making the claim, 

the person shall not be disqualified for receiving payment of domiciliary care 
allowance in respect of any such period referred to in subparagraph (i) which does 
not exceed 6 months before the first day of the month following the date on which 
the claim is made 

(5) A claimant for illness benefit or injury benefit, who fails or neglects for a period 
exceeding 6 months to submit or to continue to submit medical or other satisfactory 
evidence of the incapacity, shall be disqualified for receiving benefit in respect of any 
such period but where a deciding officer or an appeals officer is satisfied that there was 
good cause for delay in submitting or continuing to submit evidence of incapacity, the 
deciding officer or appeals officer may extend the period of 6 months to the date on 
which the evidence is submitted. 

(6) Where a person fails to make a claim for carer's support grant or continued payment 
for qualified children within the prescribed time, he or she shall be disqualified for 
receiving that payment. 

(7) Notwithstanding subsection (2), the periods specified in that subsection in respect of 
which payment may be made before the date on which a claim is made may, subject to 
the conditions and in the circumstances that may be prescribed, be extended by a 
deciding officer or an appeals officer, as the case may be. 

(8) Regulations may provide for provisionally allowing a claim for benefit before the date 
on which the claimant will actually become entitled to that benefit, in the manner and 
subject to the conditions that may be prescribed. 

(9) For the purposes of this Act, any claim or notice made or sent by post or by any other 
method is deemed to have been made or given on the date of receipt of the claim or 
notice by an officer of the Minister. 

[Section 242 as amended by s.29^®^ of Social Welfare and Pensions Act 2007; of 
Social Welfare and Pensions Act 2014; s.9^®^ of Social Welfare (Miscellaneous 
Provisions) Act 2015] 

Payments 

242.—(1) Regulations may provide for— 


As amended by s 4(1) of Social Welfare Law Reform and Pensions Act 5/2006 
Commenced on enactment 
Commenced on enactment 
Commenced on enactment 
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(o) the time and manner of payment of benefit, 

(^)396 |-|^g information and evidence to be given by a claimant or beneficiary— 

(i) when applying for payment of benefit, or 

(ii) when there has been a change in the circumstances of the claimant or 

beneficiary which may affect the payment of the benefit concerned, 

and, 

the payment of specified benefits through a payment service provider. 

(2) Regulations made under this section as to the time of payment of benefit may provide— 
(o) notwithstanding anything contained in this Act— 

(i) in the case of specified benefits (other than child benefit), for adjusting the 
commencement and termination of that benefit, or for changes in the rate of 
that benefit, so that payments shall not be made in respect of periods less than 
a week or at different rates for different parts of a week, 

(ii) in the case of child benefit, for adjusting the commencement and termination 
of that benefit, or for changes in the rate of that benefit, so that payments shall 
not be made at different rates for different parts of a month, 

{b] for extinguishing the right to any sum payable by way of benefit where payment of 
that benefit is not obtained within 6 months or any shorter period that may be 
prescribed from the time at which that sum is receivable in accordance with 
regulations. 

(3) Notwithstanding this Act, regulations may provide for payment of benefit, in the 
circumstances and subject to the conditions and for the periods that may be prescribed, 
to a claimant or beneficiary who has attained pensionable age. 

(4) Subject to subsection (5), a person presenting for payment of benefit on his or her 
own behalf shall satisfy the Minister, an officer of the Minister or a payment service 
provider, as the case may be, as to his or her identity by furnishing— 

(a) his or her public services card, or 

(b) a card that has been issued to the person by the Minister under section 264 and 
such other information or documentation as the Minister, an officer of the Minister 
or a payment service provider, as the case may be, may reasonably require for the 
purposes of authenticating the identity of that person. 

(5)®®® The Minister may make arrangements with a payment service provider in respect of 
the payment of benefit to such class of persons as the Minister may determine and 
such arrangements may include the furnishing by the Minister of information or 


As substituted by s.29 of 8/2007 
As substituted by s.3 of 16/2014 

As (inserted by s.3 of 16/2014) then substituted by s.9 of 12/2015 
As (inserted by s.3 of 16/2014) then substituted by s.9 of 12/2015 
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documentation to the payment service provider for the purposes of authenticating 
the identity of any such persons presenting to the payment service provider pursuant 
to the arrangement. 


(6)"^°° A person presenting for payment of benefit on behalf of another person (in this section 
referred to as the 'other person') shall furnish to the Minister, an officer of the 
Minister or a payment service provider, as the case may be— 

(a) where the person has been nominated in that behalf in accordance with regulations 
made under section 244(l)(a) — 

(i) evidence that he or she has been so nominated by the other person to receive the 

benefit on behalf of the other person, 

(ii) the public services card issued to the other person or a card issued to the other 

person by the Minister under section 264, and 

(iii) such other information or documentation as the Minister, an officer of the 
Minister or a payment service provider, as the case may be, may reasonably 
require for the purposes of authenticating the identity of the nominated person, 

or 


(b) where the person has been appointed in that behalf in accordance with regulations 
made under section 244(l)(b) — 

(i) the public services card issued to the other person or a card issued to the other 

person by the Minister under section 264, and 

(ii) such other information or documentation as the Minster, an officer of the Minister 

or a payment service provider, as the case may be, may reasonably require for 
the purposes of authenticating the identity of the appointed person. 

(7) Where a person fails to comply with subsection (4) or (6), payment of benefit may 
be withheld until such time as the identity of the person is authenticated. 

(8) ^“The information or documentation provided by the Minister under subsection (5) 
may be recorded or retained by a payment service provider for the purposes of this 
section. 

(9) The information or documentation furnished by a person under subsection (4) or (6) 
may be recorded or retained by the Minister, an officer of the Minister or a payment 
service provider. 


Payment to persons other than claimant or beneficiary. 
244.— (1) Regulations may provide— 


As inserted by s.9 of 12/2015 
As inserted by s.9 of 12/2015 
As inserted by s.9 of 12/2015 
As inserted by s.9 of 12/2015 
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(a)^°^ for enabling a person to whom benefit is payable to nominate another person 
to receive that benefit on his or her behalf, subject to such conditions and in such 
circumstances as are prescribed, 

(bp for- 

(i) enabling a person to be appointed to exercise, on behalf of a claimant or 
beneficiary who— 

(I) is under 16 years of age, or 

(II) ^°® is certified by a registered medical practitioner to be a person who is or 

is likely soon to become unable for the time being to manage his or her 
own financial affairs, 

any right or power otherwise exercisable under this Act by the claimant or 
beneficiary, and 

(ii) subject to such conditions and in such circumstances as are prescribed for 
assuring the personal welfare of the claimant or beneficiary, authorising a 
person so appointed to receive and deal with any sum payable by way of 
benefit on behalf, and for the benefit, of the claimant or beneficiary, 

(c)^°^ where it appears to the Minister that the circumstances so warrant, for 
enabling, subject to such conditions and in such circumstances as are prescribed, 
a person to be appointed to receive and deal with on behalf of a claimant or 
beneficiary— 

(i) "^°* in respect of illness benefit, jobseeker's benefit, injury benefit. State pension 

(contributory). State pension (transition), invalidity pension, jobseeker's 
allowance, farm assist, pre-retirement allowance. State pension (non¬ 
contributory), blind pension or disability allowance, so much of the benefit, 
pension, assistance or allowance, as the Minister considers reasonable in the 
circumstances but in no case shall the amount to be received and dealt with 
as provided for in this subparagraph exceed the total amount payable less the 
amount payable by virtue of section 43 (1), 66 (1), 76 (1), 112 (1), 117 (1), 122 
(1), 142 (l)(b)(i), 150 (l)(a), 157 (l)(a), 211 (l)(a) or 215 (l)(a), as appropriate, 

(ii) '^“ in respect of widow's (contributory) pension widower's (contributory) 
pension or surviving civil partner's (contributory) pension so much of the 
pension as is payable by virtue of section 127 (1), or in respect of one-parent 


As amended by s.17 of 15/2016 
As substituted by s.20(a)(i) of 2/2008 
As amended by s.lO of 22/2008 
As amended by s.20(a)(ii) of 2/2008 
As amended by s.4(l) and s.l7 of 5/2006 
As amended by s.40 of 37/2010 
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family payment, so much of the payment as is payable in respect of a qualified 
child by virtue of section 174 (1), 

(iii)"^“ in respect of disablement pension, domiciliary care allowance, child benefit 
or working family payment, so much of the pension, allowance, benefit or 
supplement as the Minister considers reasonable in the circumstances, 

in respect of supplementary welfare allowance, so much of the allowance 
as the Minister considers reasonable in the circumstances, 
and 

(d) in connection with the death of any person, for enabling a claim for benefit to be 
made or proceeded with in the person's name, subject to the conditions that may 
be prescribed. 

(2) Regulations may also provide that probate or other proof of title of the personal 
representative of any deceased person may be dispensed with in the case of payment 
of any sum representing benefit, and that in any such case the sum may be paid to or 
distributed among the persons appearing in the manner provided by the regulations 
to be entitled to receive that sum or any part of that sum, either as being persons 
beneficially entitled to that sum under any testamentary instrument or as next of kin, 
or as being creditors of the deceased person, or to or among any one or more of those 
persons excluding the others. 

(3) '^^^ Regulations under this section may make provision for the powers exercisable by, and 

the obligations of, persons appointed to receive and deal with sums payable by way 
of benefit, including, in particular, an obligation to account for sums so received. 

Information to be supplied by claimants and beneficiaries for profiling and activation purposes 

[Section 244A as inserted by s.l2^^^ of Social Welfare and Pensions Act 2011 and amended by 

s.lO'^^'^ of the same Act] 

244A.— (1) The Minister may prescribe information and the nature and form of such 
information to be furnished by a claimant or beneficiary where the Minister forms 
the opinion that the furnishing of that information would assist— 

a deciding officer, bureau officer, a designated person or any other person 
who makes a decision in relation to a claim for, or the payment of, benefit in 
deciding whether— 


As amended by s.29 of 5/2006; s.16(e) of 2/2008; s.24 of 28/2010 and s.8 of 38/2017 
''ll Inserted by s.l8(2) of 2/1008, amended by s.22 of 16/2014 
''i^ Inserted by s.20(b) of 2/2008 
''i^ Commenced on enactment 
'll'' Commenced 1 October 2011 
'ii^ As amended by s.l0(2) of 9/2011 
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(i) a claimant is entitled to make a claim for benefit or to receive any benefit, or 

(ii) a beneficiary is entitled to continue to receive any benefit, or 

(b) in assessing the training, education or development needs appropriate to the 
circumstances of the claimant or beneficiary. 

(2) For the purposes of the information to be furnished by a claimant or beneficiary 
under subsection (1), different types and forms of information may be prescribed 
in relation to¬ 
la) different classes of claimants or beneficiaries, or 
(b) different benefits. 

Disqualification from receipt of benefit where identity not authenticated 

247C. (1) The Minister may give notice to any person receiving a benefit requesting the person, 

at the time specified in the notice, to satisfy the Minister as to his or her identity. 

(2) A person shall be disqualified from receiving any benefit, including any increase in that 
benefit, for any week or part of a week, commencing after the time specified in the 
notice under subsection (1), or any time thereafter as may be determined by the 
Minister and notified to the person, during which that person fails to satisfy the 
Minister as to his or her identity. 

(3) A notice under subsection (1) may require the person to whom it is given to do one or 
more than one of the following, as the Minister considers appropriate, at the time 
specified in the notice, or at any time thereafter as may be determined by the Minister 
and notified to the person: 

(a) attend at an office of the Minister or such other place as the Minister may 
designate as appropriate; 

(b) provide to the Minister, at that office or other designated place, such 
information and to produce any document to the Minister as the Minister may 
reasonably require for the purposes of authenticating the identity of that 
person; 

(c) allow a photograph or other record of an image of that person to be taken, at 

that office or other designated place, in electronic form, for the purposes of 
the authentication, by the Minister, at any time, of the identity of that person; 

(d) provide, at that office or other designated place, a sample of his or her signature 

in electronic form for the purposes of the authentication, by the Minister, at 
any time, of the identity of that person. 

(4) The Minister shall retain in electronic form- 

la) any photograph or other record of an image of a person taken under subsection 
|3)|c), and 


Page 154 of 172 



(b) any signature provided under subsection (3)(d), 

in such manner that allows such photograph, other record or signature to be 

reproduced by electronic means. 

(5) This section shall not be construed as preventing the Minister from using a method 
of authentication of the identity of a person in receipt of benefit, other than a 
method referred to in this section, which the Minister considers appropriate to use. 

261 [as amended by of Social Welfare and Pensions Act 8/2007, by of Social Welfare 

And Pensions (No. 2) Act 432009, by s.S"^^ of Social Welfare and Pensions (Miscellaneous Provisions) 
Act 20/2013, by s.3*^^ of Social Welfare and Pensions Act 16/2014, by s.31^^° of Workplace Relations 
Act 16/2015] 

Exchange of information. 

261. (1) Information held by the Minister for the purposes of this Act (including the purpose of 
collection by the Revenue Commissioners of employment and self-employment 
contributions and contributions under Chapter 5A or 5B of Part 2) may be transferred 
by the Minister to the Revenue Commissioners, and — 

(a) information held by the Revenue Commissioners for the purposes of this Act or the 
Income Tax Acts relating to— 

(i) employers, 

(ii) reckonable earnings of employed contributors, 

(iii) reckonable income or reckonable emoluments of self-employed 
contributors, 

(iv) remuneration of persons to whom Chapter 5A of Part 2 applies, 

(v) income of persons to whom Chapter 5B of Part 2 applies, or 

(vi) any payments made under this Act, 
or 

(b) information contained in declarations made in accordance with Regulation 3 of the 
Income Tax (Relevant Contracts) Regulations 2000 ( S.l. No. 71 of 2000 ), 

may be transferred by the Revenue Commissioners to the Minister. 

(2) Information held by the Minister for the purposes of this Act or the control of schemes 
administered by or on behalf of the Minister or the Department of Social and Family 
Affairs may be transferred by the Minister to another Minister of the Government or 
a specified body, and information held by another Minister of the Government or a 
specified body which is required for those purposes or the control of any such scheme 
administered by another Minister of the Government or a specified body may be 
transferred by that Minister of the Government or the specified body to the Minister. 


Commenced on enactment (but later superseded when the subsection was substituted by s.6 of 20/2013) 
Commenced on enactment 
Commenced on enactment 
Commenced on enactment 

420 Workplace Relations Act 2015 (Commencement) (No. 2) Order 2015 (S.l. No. 410 of 2015) 
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(2A) Information held by the Minister for the purpose of this Act or the control of schemes 
administered by or on behalf of the Minister or the Department of Social and Family 
Affairs may be transferred by the Minister to— 

(o) the competent authority of a Member State other than the State, or 
{b) an international organisation, any other state or government or the proper 
authority under any other government in respect of which an order has been 
made under section 287. 

(2B) Information held by the Minister for the purposes of this Act or the control of 
schemes administered by or on behalf of the Minister or the Department of Social 
Protection may be transferred by the Minister to a payment service provider, and 
information held by a payment service provider which is required for those purposes 
or the control of any such scheme administered by a payment service provider may 
be transferred by the payment service provider to the Minister. 

(3) In subsection (2) "specified body" means a local authority, the Executive, the Garda 
Sfochana or any other body established — 

(o) by or under any enactment (other than the Companies Acts 1963 to 2005), or 
{b] under the Companies Acts 1963 to 2005, in pursuance of powers conferred by or 
under any other enactment, 

and financed wholly or partly by means of moneys provided or loans made or 
guaranteed, by a Minister of the Government or the issue of shares held by or on behalf 
of a Minister of the Government and a subsidiary of any such body. 


Disclosure of certain information to Minister for Enterprise, Trade and Employment, etc. [inserted by 
s.31(b) of 8/2007] 

261A.— (1) In this section — 

'specified body' means the body dedicated to employment rights compliance to be 
established or established (both on an interim and a statutory basis) and referred to 
in sections 12.3 and 13.1 of Part Two of the publication entitled 'Ten-Year 
Framework Social Partnership Agreement 2006 - 2015', published on behalf of the 
Department of the Taoiseach in June 2006 by the Stationery Office and known as 
'Towards 2016'. 

(2) Notwithstanding any obligation to maintain secrecy or any other restriction on the 
disclosure or production of information obtained by or furnished to the Minister, the 
Minister may transfer to the Minister for Enterprise, Trade and Employment or the 
specified body information held by the Minister in relation to— 

(o) the employers of individuals, or 

{b] individuals, as to whether or not they are in insurable employment or insurable 
self-employment. 
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and information of the type referred to in paragraph (a) or {b] held by the Minister 
for Enterprise, Trade and Employment or the specified body may be transferred by 
the Minister for Enterprise, Trade and Employment or the specified body, as the 
case may be, to the Minister. 

(3) Information transferred by the Minister under subsection (2) to the Minister for 
Enterprise, Trade and Employment or the specified body may be used only by the 
Minister for Enterprise, Trade and Employment or the specified body, as the case may 
be, in the exercise of their powers and functions in relation to employment rights 
compliance and shall not be disclosed by the Minister for Enterprise, Trade and 
Employment or the specified body to any other person (other than to each other) for 
any other purpose whatsoever. 


Personal public service number. 

262 [os amended by s.32^^^ of Social Welfare and Pensions Act 8/2007 ss.S'^^^, 2&^^^ and 23(2/^^ 

of Social Welfare and Pensions Act 37/2010; sl4^^^ of Social Welfare and Pensions Act 9/2011; s.l5*^^ 
of 12/2012; s. of Credit Reporting Act 2013] 

(8) Subject to this section, in this section and sections 263 to 270— 

"personal public service number" means a number allocated and issued in 
accordance with subsection (2)-, 

"primary account number", in relation to a public services card or a card issued under 
section 264, means a number consisting of— 

(o) an issuer number, issued under licence from the International Standards 
Organisation, 

[b] a personal public service number, and 

(c) a card number allocated, in the case of a public services card, by the Minister 

or, in any other case, by the person who issued the card; 

"public service identity", in relation to a person, means the information specified in 
subsection (3) and the person's personal public service number; 

"specified body" shall be read in accordance with Schedule 5; 

"spouse" means each person of a married couple; 


Commenced on enactment 
Commenced on enactment 
Commenced on enactment 

Commenced by Social Welfare and Pensions Act 2010 (sections 15 to 26) (Commencement) Order 2010 (S.l. No. 673 
of 2010), art. 2 

Commenced by (S.l. No. 673 of 2010) 

Commenced on enactment 
Commenced by (S.l. No. 195 of 2012) 

Commenced on enactment 
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'transaction" means— 


(o) an application, 

{b] a claim, 

(c) a communication, 

{d) a payment, or 

(e) a supply of a service, 

relating to a public function of a specified body which relates to a natural person. 

(9) The Minister may, subject to subsection (2A), allocate and issue a personal public 
service number to each person who is the subject of any transaction with a specified 
body. 

(2A)429The Ministershall not allocate and issuea personal public service numbertoa person 
unless the Minister is satisfied as to the identity of the person to whom such number 
is to be allocated and issued. 


(3) (o) For the purposes of allocating and issuing a personal public service number, a person 
or, in the case of a deceased person, a personal representative, who has any 
transaction with a specified body shall give to the Minister the following information 
in relation to the person or the deceased person, as the case may be: 

(i) surname; 

(ii) forename; 

(iii) date of birth; 

(iv) place of birth; 

(v) sex; 

(vi) all former surnames (if any); 

(vii) all former surnames (if any) of his or her mother; 

(viii) address; 

(ix) nationality; 

(x) date of death; 

(xa) certificate of death, where relevant; 

(xb) where required, a photograph of the person, except where the person is 
deceased; 

(xc) where required, the person's signature, except where the person is deceased; 


429 s 15429 of 12/2012 
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(xd) any other information as may be required for authentication purposes that is 
uniquely linked to or is capable of identifying that person; 

(xi) any other information that may be prescribed which, in the opinion of the 
Minister, is relevant to and necessary for the allocation of a personal public 
service number. 


{b] Where a person who has a transaction with a specified body is under the age of 18 
years, the following information shall be given to the Minister in relation to that 
person by that person's parent or guardian — 

(i) the information specified in paragraph (o), and 

(ii) the public service identity of— 

(I) his or her mother and father, or 

(II) his or her guardian or guardians. 

(c) Where a person who has a transaction with a specified body is certified by a 
registered medical practitioner to be a person who is or is likely soon to become 
unable for the time being to manage his or her own financial affairs, the following 
information shall be given to the Minister by any person appointed to act on behalf 
of that person in accordance with regulations made under section 244(l)(b) — 

(i) the information specified in paragraph (o) in relation to the person so certified, 
and 

(ii) the public service identity of the person so appointed to act on behalf of that 
person. 

(3A) An officer of the Minister may retain any document (including a passport, visa, identity 
card, driving licence, birth certificate or marriage certificate or any other document 
establishing a person's nationality or identity), given for any purpose under this Act, 
for such period as may be reasonable which period shall not in any case exceed 21 
days. 

(3B) Where a document is retained under subsection (3A) a receipt in the prescribed form 
shall be issued in respect of it to the person concerned. 

(4) A person shall give to a specified body his or her personal public service number and 
the personal public service numbers of his or her spouse, civil partner or cohabitant 
and children, where relevant, as required by the body for the purposes of the person's 
transaction. 

(5) Where a specified body collects from a person any of the information specified in 
subsection (3), that information shall also be collected for the purpose of maintaining 
the person's public service identity. 

(6) (o) Where a specified body has a transaction with a person, the Minister may share the 

person's public service identity with the specified body to the extent necessary in 
respect of that transaction for authentication by the specified body of the person's 
public service identity. 
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(b) A specified body may use a person's public service identity in performing its 
public functions insofar as those functions relate to the person concerned. 

(7) Where an tArd-Chlaraitheoir collects information relating to the registration of the 
birth of a person, the information shall also be collected for the purpose of allocating 
the person's personal public service number. 

(8) In this section a reference to a personal public service number shall be read as 
including a reference to a number known as a revenue and social insurance number. 

(9) A person, other than — 

(o) the person to whom the personal public service number concerned refers, 

{b] the parent or guardian of the person under the age of 18 years to whom the 
personal public service number concerned refers, 

(c) a person who has been appointed to act on behalf of a person in accordance with 

regulations made under section 244(l)(b) to whom the personal public service 
number concerned refers, 

{d) a specified body, 

(e) a person who has a transaction with a specified body where the personal public 
service number is relevant to the transaction between the person and the 
specified body, or 

if) a person who is required to comply with section 260, 261 or 261A or regulations 
made under section 260, 

who uses a personal public service number or seeks to have a personal public service 
number disclosed to him or her is guilty of an offence. 

Offence 

262A'‘^^.— (1) A person is guilty of an offence where, for the purposes of the allocation and issue of a 
personal public service number to him or her or for any other person (including a 
deceased person) he or she— 

(o) knowingly makes any statement or representation, whether oral or written, 
which he or she knows to be false or misleading in any material respect, 
or knowingly conceals any material fact, or 

{b] gives or causes or knowingly allows to be given any document or other 
information which the person is required under section 262 or regulations 
made thereunder to give and which he or she knows to be false or 
misleading in any material respect. 

(2) A person guilty of an offence under this section is liable— 


Activities under the Credit Reporting Act 2013 is excluded from this sanction by s.6 thereof. 
Inserted by s32 of 8/2007 (commenced on enactment) 
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(a) on summary conviction, to a fine not exceeding €1,500 or imprisonment for 
a term not exceeding 6 months, or to both, or 

{b) on conviction on indictment, to a fine not exceeding €25,000 or 
imprisonment for a term not exceeding 5 years, or to both. 

Public services card 

263 [as amended by Social Welfare and Pensions Act 2010; s. 15*^^ of Social Welfare and Pensions 
Act 2012, s.3(e) of Social Welfare and Pensions Act 2014] 

(1)434 j|.^g Minister may, subject to subsection (1C), issue a card (in this Act referred to as a 
'public services card') to a person in such form as the Minister considers fit for the 
purposes of carrying out a transaction. 

(lA) Where a public services card is issued to a person the following information shall be 
inscribed on it: 

(o) the name of that person; 

{b] the personal public service number of that person; 

(c) a photograph of that person; 

{d) the signature of that person; 

(e) the issue number of the public services card; 
if) the expiry date of the public services card; 

(g) such other information (if any) as may be prescribed by the Minister. 

(IB) A public services card shall in addition to the information referred to in subsection 
(lA) contain the following information which shall be in non-legible form and be 
capable of being recovered by electronic means: 

(a) the name of that person; 

(b) the personal public service number of that person; 

(c) the date of birth of that person; 

(d) the place of birth of that person; 

(e) the sex of that person; 

(f) the nationality of that person; 

(g) all former surnames (if any) of that person; 

(h) all former surnames (if any) of the mother of that person; 

(i) a photograph of that person; 


Commenced on enactment 

Commenced by the Social Welfare and Pensions Act 2012 (sections 14,15 and 17) (Commencement) Order 2012 (S.l. 
No. 195 of 2012) 

Change by s.32 of 8/2007 superseded by later substitution 
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(j) the signature of that person; 

(k) the issue number of the public services card; 

(l) the expiry date of the public services card; 

(m) such other information (if any) as may be prescribed by the Minister 

(1C) The Minister shall not issue a public services card to a person unless the Minister is 
satisfied as to the identity of the person to whom such card is to be issued. 

(2) A person may, on request in that behalf to the Minister, obtain within 28 days of that 
request, where practicable, information which is electronically encoded on his or her 
public services card. 

(3) A person shall produce his or her public services card at the request of a specified 
body for the purposes of a transaction. 

(4) A person who uses or attempts to use a public services card or seeks to have a public 
services card produced to him or her, other than — 

(o) the person who is the holder of the card or a person appointed to act on behalf 
of the cardholder, 

{b) a specified body, for the purposes of a transaction, or 

(c) a person who has a transaction with a specified body where the personal public 
service number on the card is relevant to the transaction between that person 
and the specified body, 

is guilty of an offence. 


Cancellation and surrender of public services card, [inserted by of Social Welfare and Pensions 
Act 9/2011, amended by s.3"‘^®(e) of Social Welfare and Pensions Act 2014] 

263A.— (1) The Minister may cancel a public services card issued to a person under section 263 if— 

(o) the Minister becomes aware of a fact or a circumstance, whether occurring before 
or after the issue of the public services card, that would have required or 
permitted him or her to refuse to issue the public services card under section 263 
to the person had the Minister been aware of the fact or the circumstance before 
the public services card was issued, 

{b) the Minister is notified that the public services card is, without lawful authority or 
reasonable excuse, in the possession or control of another person, or 

(c) the Minister is notified by the person, or by another person who has been 
appointed to act on behalf of that person in accordance with regulations made 
under section 244(l)(b), that the public services card has been lost or stolen. 


Commenced on enactment 
Commenced on enactment 
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(2) Where a public services card issued to a person is cancelled under subsection (1), the 
Minister shall inform the person by notice in writing of the cancellation and the 
grounds for it. 

(3) Where a public services card issued to a person is cancelled under subsection (1), the 
person shall, if he or she is in possession or control of the public services card, 
surrender it as soon as practicable to the Minister. 

(4) Where a public services card is cancelled under subsection (1), the Minister may, if 
appropriate, require by notice in writing the person who is in possession or control of 
the public services card to surrender it as soon as practicable to the Minister. 

(5) A person who, without lawful authority or reasonable excuse, has a public services 
card other than a public services card that was issued to him or her in his or her 
possession or control shall, as soon as practicable, surrender it to the Minister. 

(6) A person who is required by subsection (3), (4) or (5) to surrender a public services 
card to the Minister, but without reasonable excuse, does not do so in accordance 
with the requirement, is guilty of an offence. 

(7) Where a public services card issued to a person is presented to a payment service 
provider for the purposes of obtaining payment of benefit, the payment service 
provider may withhold payment, confiscate the card and surrender it as soon as 
practicable to the Minister if— 

(a) the payment service provider becomes aware of a fact or circumstance, whether 
occurring before or after the issue of the public services card, that would have 
required or permitted the Minister to refuse to issue the public services card under 
section 263 to the person had the Minister been aware of the fact or the 
circumstance before the public services card was issued, or 

(b) the payment service provider is notified or becomes aware that the public services 
card is, without lawful authority or reasonable excuse, in the possession or control 
of a person other than the person to whom it is allocated and issued under section 
263. 


Authentication of identity. [Inserted by s.15^^^ Social Welfare and Pensions Act 12/2012] 

263B.— (1) For the purposes of satisfying himself or herself as to the identity of a person in respect of 
whom a personal public service number is to be allocated and issued under section 262, or 
in respect of whom a public services card is to be issued under section 263, the Minister 
may, without prejudice to any other method of authenticating the identity of that person, 
request that person — 

(a) to attend at an office of the Minister or such other place as the Minister may 
designate as appropriate. 


Commenced by the Social Welfare and Pensions Act 2012 (sections 14,15 and 17) (Commencement) Order 2012 (S.l. 
No. 195 of 2012) 
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(b) to provide to the Minister, at that office or other designated place, such 
information and to produce any document to the Minister as the Minister may 
reasonably require for the purposes of authenticating the identity of that person, 

(c) to allow a photograph or other record of an image of that person to be taken, at 
that office or other designated place, in electronic form, for the purposes of the 
authentication, by the Minister, at any time, of the identity of that person, and 

(d) to provide, at that office or other designated place, a sample of his or her signature 
in electronic form for the purposes of the authentication, by the Minister, at any 
time, of the identity of that person. 

(2) The Minister shall retain in electronic form- 

la) any photograph or other record of an image of a person taken pursuant to 
subsection (l)(c), and 

(b) any signature provided pursuant to subsection {l]{d], 

in such manner that allows such photograph, other record or signature to be 
reproduced by electronic means 


Payment card. 

264.— Without prejudice to section 263, for the purpose of the payment of benefit, the Minister 
may issue a card, other than a public services card, to a person in such form that the 
Minister determines. 

(lA) A card to which subsection (1) applies shall contain such information (if any) either 
inscribed on the card or in non-legible form capable of being recovered by electronic 
means, as may be prescribed by the Minister. 

(2) A person may, on request in that behalf to the Minister, obtain within 28 days of that 

request, where practicable, information which is inscribed or electronically encoded 
on the card to which subsection (1) applies and which relates to the person. 

(3) A person who uses or attempts to use a card to which subsection (1) applies, who is 
not the holder of the card or a person appointed to act on behalf of the cardholder, 
for the purposes of obtaining payment of benefit is guilty of an offence. 

Sharing of Information [Amended by s. 10, Health Act 2008;"^^® s. 8 and Sch. 2, Housing 

(Miscellaneous Provisions) Act 2009"^^°; s. 13, Social Welfare and Pensions Act 2012;"*"^^ s. 19 and Sch., 


As amended by s.9(2) of Social Welfare and Pensions Act 2010, commenced on enactment. 

Commenced under s. 1(2) on 1 January 2009 

Commenced 1 April 2011 (para. b(i)) by S.l. No. 83 of 2011, 14 June 2010 (para. b(ii)) by S.l. No. 253 of 2010 
Commenced on enactment, 1 May 2012 
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Social Welfare and Pensions (Miscellaneous Provisions) Act 2013;"^^^ s. 201, Data Protection Act 
2018;^"^^ s. 23, Childcare Support Act 2018^"^^] 

265(1) In this section — 

'Act of 2018' means the Data Protection Act 2018; 

'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament 
and of the Council of 27 April 2016^^ on the protection of natural persons with regard to the 
processing of personal data and on the free movement of such data, and repealing Directive 
95/46/EC (General Data Protection Regulation);", 

'controller' means a controller within the meaning of— 

(a) the Data Protection Regulation, or 

(b) Part 5 of the Act of 2018; 

'personal data' means personal data within the meaning of— 

(a) the Data Protection Regulation, or 

(b) Part 5 of the Act of 2018; 

"information" means any personal data or information extracted from that data, whether 
collected before or after 5 February 1999; 

"relevant purpose" means— 

(a) for the purposes of determining entitlement to or control of— 

(i) benefit, 

(ii) a service provided by or under sections 45,45A, 58,59 and 61 of the Elealth 
Act 1970 or regulations made thereunder, 

(iii) [ deleted by 20/2013] 

(iv) an allowance under the Blind Persons Act 1920,'^'*^ 

(v) a grant — 

(I) that— 

(A) was awarded in accordance with section 2 (amended by 
section 3 of the Local Authorities (Higher Education Grants) 
Act 1992) of the Local Authorities (Higher Education Grants) 
Act 1968,and 

(B) was continued under subsections (2) and (3) of section 6 of 
the Student Support Act 2011, 

(II) that— 

(A) was awarded pursuant to a scheme administered by a 
vocational education committee (within the meaning of 
section 7 of the Vocational Education Act 1930 ) whereby 
grants were provided to students to assist them in attending 
courses in higher or further education, and 
(B) was continued under subsections (2) and (3) of section 6 of the 
Student Support Act 2011, 


or 


‘*''2 Commenced on enactment, 28 June 2013 
'>'*3 Commenced 25 May 2018 by S.l. No. 174 of 2018 
Commenced 2 September 2019 by S.l. No. 348 of 2019 

Deletion provided for in s. 13, Social Welfare and Pensions Act 2008, not commenced at date of production of this 
administrative consolidation. 
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(Ill) that was awarded under a scheme of grants made pursuant to 
section 16 of the Student Support Act 2011, 
or 

(vi) legal aid awarded under the Civil Legal Aid Act 1995 , or 

(vii) financial support under the Childcare Support Act 2018 
or 

(b) for the purposes of— 

(i) carrying out a social housing assessment under section 20 of the Housing 
(Miscellaneous Provisions) Act 2009, 

(ii) allocating a dwelling under section 22 of the Housing (Miscellaneous 
Provisions) Act 2009, 

(iii) the determining of rent or other payment in accordance with section 58 of 
the Housing Act 1966, or the control thereof. 

(2) A specified body holding information may share that information with another 
specified body who has a transaction with a natural person relating to a relevant 
purpose, where the specified body seeking the information provides the personal 
public service number of the person who is the subject of the transaction and satisfies 
the controller of the specified body holding the information that the information 
requested is relevant to the transaction for that purpose between the person and the 
specified body seeking the information. 

(3) A specified body may only seek information for the purposes of a transaction relating 
to a relevant purpose. 


[Footnote to s. 265: OJ No. L 119, 4.5.2016, p.l] 


Data exchange— provision of education, [no amendments - information prescribed in S.l. No. 142 of 
2007 (below) but NB: VECs taken out of the scope by the SWP Act 12/2012] 

266.— Notwithstanding anything contained in any other enactment, a specified body may share any 
information that may be prescribed with — 

(o) the Minister for Education and Science, where that Minister requires the information 
for the purpose of enabling him or her to provide education in accordance with 
section 6{b] of the Education Act 1998 , or 

{b] an tUdaras urn Ard-Oideachas, where that body requires the information for the 
purpose of performing its functions under section 3 (o), {b] or {d) of the Higher 
Education Authority Act 1971 . 
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Data exchange — sharing of personal public service number. 

267.— (1) Notwithstanding anything contained in any other enactment, a specified body may 
share any information, that may be prescribed, with the Minister for the purpose of 
seeking from the Minister the personal public service number for each person in 
respect of whom the information is shared. 


(2) Information received by the Minister under subsection (1) may be used by the 
Minister for the purpose of identifying the personal public service number for each 
person in respect of whom such information is received and for updating the 
Minister's own records in respect of that person. 

(3) Where a specified body has sought a personal public service number under subsection 
(1) in respect of a person, the Minister may share any information, that may be 
prescribed, in respect of that person with that specified body for the purpose of giving 
that specified body the personal public service number relating to the person. 


Data exchange — health provisions 

268. —Notwithstanding anything contained in any other enactment, a specified body may share with 

another specified body information relating to a person using that person's personal public 
service number, where that information, otherthan the personal public service number, is being 
shared in accordance with the Health (Provision of Information] Act 1997 . 

Data exchange — rented accommodation 

269. —(1) Notwithstanding anything contained in any other enactment, the Minister may share any 

information, that may be prescribed, in relation to— 

(o) a house let for rent, 

{b] a landlord of a house let for rent or his or her agent, or 
(c) a tenant of a house let for rent, 
with a local authority for the purposes of— 

(i) assisting a fire authority, within the meaning of the Fire Services Act 1981 , in the 

exercise of its functions under that Act, or 

(ii) assisting a housing authority, within the meaning of section 23 (as amended by 
section 16 of the Housing (Miscellaneous Provisions] Act 2002 ) of the Housing 
(Miscellaneous Provisions] Act 1992 , in the exercise of its functions under sections 
17,18 and 20 of that Act, 
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in relation to that house let for rent, the landlord of a house let for rent or his or her agent or 
the tenant of a house let for rent. 

Data exchange — correction of inaccurate information. 

270. —Where the information shared between one specified body and another under section 266 , 

267, 268 or 269 is found to be inaccurate, the specified body on making the discovery shall 
confirm with the person the correct information and advise the other specified body of the 
amended information. 

Definition of information 

271. — (1) In sections 266 to 270 "information" means any personal data or information extracted 

from that data. 

(2) Sections 266 to 271 apply to information used for the purposes of section 266, 267, 268 
or 269 whether collected before or after 31 July 2000. 
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SCHEDULES 
SPECIFIED BODIES 


1. Each of the following shall be a specified body for the purposes of this Schedule and 
sections 262 to 270 : 

(1) a Minister of the Government, 

the Commission for Public Service Appointments, 
the Public Appointments Service, 
the Revenue Commissioners; 

(2) a local authority (for the purposes of the Local Government Act 2001); 

2(A)-a voc a t i on al e duc a t i on comm i tt ee (within th e m ea n i ng of s e ction 7 of th e Voc a tion al 

Educ a t i on Act 1930); "^ 

(2A) an education and training board^"*^ 

(3) the Health Service Executive; 

(4) a body established by the Minister for Education and Science under section 54 of the 
Education Act 1998, 

a payment service provider (within the meaning of section 122 (1) of the Finance 
(Local Property Tax) Act 2012 ) in relation to the purpose specified in that section of 
that Act,"*^^ 

An Foras Aiseanna Saothair,"*^® 

An Garda Siochana and the Defence Forces in respect of their own members. 

An Post ,"^^” 

An tArd-Chlaraitheoir, 
an tUdaras un Ard-Oideachas, 

Coillte Teoranta, 

Enterprise Ireland, 

Health and Social Care Professionals Council,'*^^ 

I r i sh W a t e r, 

National Educational Welfare Board,^^^ 

Quality and Qualifications Ireland,^^^ 

Registrar of Beneficial Qwnership of Companies and Industrial and Provident 
Societies,"*^^ 

the Central Applications Qffice, 
the Central Statistics Qffice, 
the Commission for Taxi Regulation,^^® 
the Companies Registration Qffice, 


Inserted by s. 6, Social Welfare and Pensions Act 2012; substituted by s. 72 and Sch. 6, Education and Training Boards 
Act 2013 

Substituted by s. 72 and Sch. 6, Education and Training Boards Act 2013 
Inserted by s. 18, Social Welfare and Pensions (Miscellaneous Provisions) Act 2013 

Reference construed as being to An tSeirbhis Oideachais Leanunaigh Agus Scileanna with effect from 27/10/2013: s. 
38(c), further Education and Training Act 2013 and S.l. No. 406/2013 
Deleted by s. 32(d), Social Welfare and Pensions Act 2007 
Inserted by s. 20, Social Welfare and Pensions (No. 2) Act 2009 

Inserted by s. 20, Social Welfare and Pensions Act 2014; deleted by s. 11, Water Services Act 2017 
Body dissolved with effect from 1/1/2014, reference construed as being to Child and family Agency; s. 78, Child and 
Family Agency Act 2013 and S.l. No. 503/2013 

Inserted by s. 18, Social Welfare and Pensions (Miscellaneous Provisions) Act 2013 

Inserted by reg. 3, S.l. No. 344/2019 - Social Welfare Consolidation Act 2005 (Specified Bodies) Regulations 2019 
Inserted by s. 35(a), Social Welfare and Pensions (Miscellaneous Provisions) Act 2006 
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the General Medical Services (Payments) Board, 

the Insolvency Service of Ireland, 

the Legal Aid Board, 

the Mental Health Commission, 

the National Breast Screening Board, 

the National Cancer Registry Board, 

the National Council for Special Education,'*^® 

the National Shared Services Office"*^® 

the National Treasury Management Agency, 

th e P e ns i ons Bo a rd, The Pensions Authority,'*®^ 

the Pensions Ombudsman, 

the Personal Injuries Assessment Board, 

the Private Residential Tenancies Board; 

the Private Security Authority"*®^ 

the Teaching Council"*®® 

the Probate Office,"*®"* 

the Property Services Regulatory Authority,"*®® 
the Pyrite Resolution Board,"*®® 
the Workplace Relations Commission"*®^ 
the Road Safety Authority,"*®® 

Sustainable Energy Ireland — The Sustainable Energy Authority of Ireland,"*®® 

(5) the following Voluntary Hospitals: 

Beaumont Hospital, Dublin, 

Cappagh National Orthopaedic Hospital, Dublin, 

Coombe Women's Hospital, Dublin, 

Dublin Dental Hospital, 

Hume Street Hospital, Dublin, 

Incorporated Orthopaedic Hospital of Ireland, Clontarf, Dublin, 
Leopardstown Park Hospital, 

Mater Misericordiae University Hospital, Dublin, 

Mercy Hospital, Cork, 

National Maternity Hospital, Dublin, 

National Rehabilitation Hospital, Dun Laoghaire, 

Our Lady's Hospice, Dublin, 

Our Lady's Hospital for Sick Children, Crumlin, Dublin, 

Portiuncula Hospital, Ballinasloe, Co. Galway, 

Rotunda Hospital, Dublin, 

Royal Victoria Eye and Ear Hospital, Dublin, 

South Infirmary/Victoria Hospital, Cork, 

St. James's Hospital, Dublin, 


Inserted by s. 18, Social Welfare and Pensions (Miscellaneous Provisions) Act 2013 

Inserted by 35(b), Social Welfare Law Reform and Pensions Act 2006 

Inserted by s. 74, Data Sharing and Governance Act 2019 

Inserted by s. 56, National Treasury Management Agency Act 2014 

Substituted by s. 26, Social Welfare and Pensions (Miscellaneous Provisions) Act 2013 

Inserted by s. 35, Social Welfare Law Reform and Pensions Act 2006 

Inserted by s. 35, Social Welfare Law Reform and Pensions Act 2006 

Inserted by s. 20, Social Welfare and Pensions Act 2011 

Inserted by s. 10, Property Services Regulatory Authority Act 2011 

Inserted by s. 13, Social Welfare (Miscellaneous Provisions) Act 2015 

Inserted by s. 31(1), Workplace Relations Act 2015 

Inserted by s. 20, Social Welfare and Pensions (No. 2) Act 2009 

Inserted by s. 20, Social Welfare and Pensions Act 2011 
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St. John's Hospital, Limerick, 

St. Luke's Hospital, Dublin, 

St. Mary's Hospital and Residential School, Baldoyle, Dublin, 

St. Michael's Hospital, Dun Laoghaire, 

St. Vincent's University Hospital, Elm Park, Dublin, 

St. Vincent's Hospital, Fairview, Dublin, 

The Adelaide and Meath Hospital, Dublin incorporating the National 
Children's Hospital, 

The Children's Hospital, Temple Street, Dublin, 

The Royal Hospital, Donnybrook, 

University Dental School and Hospital, Cork. 

2. Each of the following shall be a specified body for the purposes of this Schedule and 
section 266 : 

a person who provides, organises or procures a programme of education or 
training, 

a recognised school or centre for education (within the meaning of section 2 
of the Education Act 1998 ), 

a voc a t i on al e duc a t i on comm i tt ee (w i th i n th e m ea ning of s e ction 7 of th e 
Voc a t i on al 

Educ a t i on Act 1930) ,'^^° 

a university to which the Universities Acts 1997 and 1999 apply, 
an educational institution to which the Regional Technical Colleges Acts 1992 
to 2001 apply, 

the Dublin Institute of Technology, 
th e Furth e r Educ a t i on a nd Tr ai n i ng Aw a rds Counci l , 
th e H i gh e r Educ a t i on a nd Tr ai n i ng Aw a rds Counci l 
th e N a t i on al Qu ali f i c a t i ons Author i ty of I r ela nd . 

3. The Minister may by regulations amend paragraph 1 or 2 by adding a specified body 
to, deleting a specified body from, or amending a reference to a specified body in, 
those paragraphs. 


™ Deleted by s. 6, Social Welfare and Pensions Act 2012 

Deleted by s. 18, Social Welfare and Pensions (Miscellaneous Provisions) Act 2013 
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Coimisiun Cosanta Sonrai 
21 Cearnog Mhic Liam, 
Baile 

Atha Cliath 2, 

D02 RD28, Eire. 


Data Protection 
Commission, 

21 Fitzwilliam Square, 
Dublin 2. 

D02 RD28. Ireland. 


dataprotection.ie 
i nfo@data protection, ie 
Tel: +353 (0)76 1104800 
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